CVE-2026-39318
CVE-2026-39318 affects ChurchCRM prior to 7.1.0, where the GroupPropsFormRowOps.php file renders user-provided Field input directly into SQL queries. The underlying issue is improper sanitization, and specifically that mysqli_real_escape_string() does not escape backtick characters, enabling an a...