CVE-2026-40482

ChurchCRM versions prior to 7.2.0 are affected by an authenticated SQL injection in FinancialService::getMemberByScanString(), caused by unsanitized input being concatenated into a raw SQL query used by the endpoint /api/families/byCheckNumber/{scanString}. The issue can impact confidentiality an...

CVE-2026-40482 ChurchCRM has Authenticated SQL Injection in `/api/families/byCheckNumber/{scanString}`

ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0...