216657 matches found
CVE-2026-39330 ChurchCRM has a Blind SQL injection in PropertyAssign.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles ManageGroups and Edit Records isEditRecordsEnabled can inject arbitrary SQL...
CVE-2026-39330
ChurchCRM (pre-7.1.0) contains a SQL injection in /PropertyAssign.php exploitable by authenticated users with roles Manage Groups & Roles and Edit Records via the Value parameter. The vulnerability can allow arbitrary SQL execution to read/modify database data. It is fixed in 7.1.0; upgrade to 7....
CVE-2026-39330
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles ManageGroups and Edit Records isEditRecordsEnabled can inject arbitrary SQL...
EUVD-2026-19825
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles ManageGroups and Edit Records isEditRecordsEnabled can inject arbitrary SQL...
CVE-2026-39329 ChurchCRM has a Blind SQL injection in EventNames.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reach...
CVE-2026-39329
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reach...
CVE-2026-39327
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles ManageGroups can inject arbitrary SQL statements through the NewRole...
CVE-2026-39327
CVE-2026-39327 : ChurchCRM (open-source church management system) has a SQL injection in the /MemberRoleChange.php endpoint. The flaw affects ChurchCRM 7.0.5, prior to 7.1.0. Authenticated users with the Manage Groups & Roles (ManageGroups) permission can inject arbitrary SQL statements via the N...
CVE-2026-39327 ChurchCRM has a SQL injection in MemberRoleChange.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles ManageGroups can inject arbitrary SQL statements through the NewRole...
EUVD-2026-19811
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description paramete...
CVE-2026-39326 ChurchCRM has a Blind SQL injection in PropertyTypeEditor.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description paramete...
CVE-2026-39326
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description paramete...
CVE-2026-39325
ChurchCRM (open-source church management) has a Blind SQL injection in /SettingsUser.php affecting versions prior to 7.1.0 (notably 7.0.5). Authenticated administrative users can inject arbitrary SQL through the type array parameter (via the index) to read/modify database data. The vulnerability ...
CVE-2026-39323
...
CVE-2026-39323
REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39326. Reason: This candidate is a duplicate of CVE-2026-39326. Notes: All CVE users should reference CVE-2026-39326 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental...
CVE-2026-39323
CVE-2026-39323 affects ChurchCRM prior to 7.1.0, where a SQL injection in PropertyTypeEditor.php arises because the Name and Description POST parameters are sanitized only with strip_tags() before direct SQL string concatenation. Authenticated users with the Manage Properties permission can execu...
CVE-2026-39323
...
CVE-2026-39317
REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39334. Reason: This candidate is a duplicate of CVE-2026-39334. Notes: All CVE users should reference CVE-2026-39334 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental...
CVE-2026-39317
CVE-2026-39317 affects ChurchCRM prior to version 7.1.0. The vulnerability arises in SettingsIndividual.php where user‑controlled keys from the POST parameter are used directly in SQL queries without sanitization, enabling authenticated users to extract sensitive data from the database. Root caus...
CVE-2026-39317
...