CVE-2026-39319 ChurchCRM has a Second Order SQLI via FundRaiserEditor.php

ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through th...

ChurchCRM CurrentFundraiser Parameter Blind SQL Injection Vulnerability

ChurchCRM is an open source church management system. ChurchCRM suffers from a blind SQL injection vulnerability that stems from the CurrentFundraiser parameter being directly attached to a SQL query without sufficient cleanup, which can be exploited by an attacker to execute arbitrary SQL querie...

PT-2025-7494 · Churchcrm · Churchcrm

Name of the Vulnerable Software and Affected Versions: ChurchCRM versions 5.13.0 and prior Description: A boolean-based and time-based blind SQL Injection vulnerability exists in the DonatedItemEditor functionality, allowing an attacker to execute arbitrary SQL queries. The CurrentFundraiser...

PT-2024-21184 · Churchcrm · Churchcrm

Name of the Vulnerable Software and Affected Versions: ChurchCRM version 5.5.0 Description: The issue concerns a Blind SQL Injection vulnerability, specifically time-based, that can be exploited via the CurrentFundraiser GET parameter in the FRBidSheets.php file. Recommendations: For ChurchCRM...