Lucene search
K

4 matches found

Cvelist
Cvelist
added 2026/04/07 5:27 p.m.14 views

CVE-2026-39318 ChurchCRM has a DDL SQL Injection in GroupPropsFormRowOps.php

ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints /GroupPropsFormRowOps.php, /PersonCustomFieldsRowOps.php, and /FamilyCustomFieldsRowOps.php. A user has to be authenticated. For ManageGroups privileges have to be...

8.8CVSS0.0034EPSS
Exploits1References2
EUVD
EUVD
added 2026/04/07 5:27 p.m.3 views

EUVD-2026-19808

ChurchCRM is an open-source church management system. Prior to 7.1.0, the GroupPropsFormRowOps.php file contains a SQL injection vulnerability. User input in the Field parameter is directly inserted into SQL queries without proper sanitization. The mysqlirealescapestring function does not escape...

8.8CVSS6.1AI score0.0034EPSS
Exploits1References1
CVE
CVE
added 2026/04/07 5:27 p.m.18 views

CVE-2026-39318

CVE-2026-39318 affects ChurchCRM prior to 7.1.0, where the GroupPropsFormRowOps.php file renders user-provided Field input directly into SQL queries. The underlying issue is improper sanitization, and specifically that mysqli_real_escape_string() does not escape backtick characters, enabling an a...

8.8CVSS6AI score0.0034EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.10 views

PT-2026-30944

ChurchCRM is an open-source church management system. Prior to 7.1.0, the GroupPropsFormRowOps.php file contains a SQL injection vulnerability. User input in the Field parameter is directly inserted into SQL queries without proper sanitization. The mysqli real escape string function does not esca...

8.8CVSS6.1AI score0.0034EPSS
Exploits1References2
Rows per page
Query Builder