CVE-2026-39325 ChurchCRM has a Blind SQL injection in SettingsUser.php

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsUser.php in ChurchCRM 7.0.5. Authenticated administrative users can inject arbitrary SQL statements through the type array parameter via the index and thus extra...

EUVD-2026-19720

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in src/Reports/FundRaiserStatement.php where the $SESSION'iCurrentFundraiser' value is used in an unquoted numeric SQL context without integer validation. The value originates from...