CVE-2026-39334

ChurchCRM contains a blind SQL injection in SettingsIndividual.php affecting 7.0.5, exploitable by authenticated users with low privileges via the type array parameter. The issue allows extraction and modification of database content and is fixed in 7.1.0. The available documents provide the affe...

CVE-2026-39334 ChurchCRM has a Blind SQL injection in SettingsIndividual.php

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without any specific privileges can inject arbitrary SQL statements through the type array parameter via t...

CVE-2026-39317

CVE-2026-39317 affects ChurchCRM prior to version 7.1.0. The vulnerability arises in SettingsIndividual.php where user‑controlled keys from the POST parameter are used directly in SQL queries without sanitization, enabling authenticated users to extract sensitive data from the database. Root caus...

CVE-2026-39317

...

ChurchCRM SQL注入漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.1.0 had a SQL injection vulnerability. This vulnerability stems from the SQL injection in the type array parameter of the /SettingsIndividual.php endpoint, which could lead to the extraction and...