216507 matches found
CVE-2026-39342
ChurchCRM prior to 7.1.0 is vulnerable to SQL injection via the searchwhat parameter (QueryView.php?QueryID=15) when accessed by an authenticated user with Data/Reports > Query Menu and the Advanced Search query. Root cause: improper input handling enables SQL injection. Impact is high for con...
CVE-2026-39342 ChurchCRM has a SQL injection searchwhat parameter via QueryView.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires access to Data/Reports Query Menu and access to the "Advanced Search" query. This vulnerability is...
CVE-2026-39340 ChurchCRM has a SQL Injection in PropertyTypeEditor.php via Incorrect Sanitizer Substitution
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories People → Person Properties / Family Properties. The vulnerability was introduced whe...
CVE-2026-39340
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories People → Person Properties / Family Properties. The vulnerability was introduced whe...
CVE-2026-39340
ChurchCRM prior to 7.1.0 contains a SQL injection in PropertyTypeEditor.php (administration for Person/Family Properties). Replacing legacyFilterInput() (strips HTML and escapes SQL) with sanitizeText() (strips HTML only) causes user-supplied Name/Description values to be concatenated into raw IN...
CVE-2026-39334 ChurchCRM has a Blind SQL injection in SettingsIndividual.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without any specific privileges can inject arbitrary SQL statements through the type array parameter via t...
CVE-2026-39334 ChurchCRM has a Blind SQL injection in SettingsIndividual.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without any specific privileges can inject arbitrary SQL statements through the type array parameter via t...
CVE-2026-39334
ChurchCRM contains a blind SQL injection in SettingsIndividual.php affecting 7.0.5, exploitable by authenticated users with low privileges via the type array parameter. The issue allows extraction and modification of database content and is fixed in 7.1.0. The available documents provide the affe...
CVE-2026-39330 ChurchCRM has a Blind SQL injection in PropertyAssign.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles ManageGroups and Edit Records isEditRecordsEnabled can inject arbitrary SQL...
CVE-2026-39330 ChurchCRM has a Blind SQL injection in PropertyAssign.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles ManageGroups and Edit Records isEditRecordsEnabled can inject arbitrary SQL...
CVE-2026-39330
ChurchCRM (pre-7.1.0) contains a SQL injection in /PropertyAssign.php exploitable by authenticated users with roles Manage Groups & Roles and Edit Records via the Value parameter. The vulnerability can allow arbitrary SQL execution to read/modify database data. It is fixed in 7.1.0; upgrade to 7....
CVE-2026-39330
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles ManageGroups and Edit Records isEditRecordsEnabled can inject arbitrary SQL...
EUVD-2026-19825
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles ManageGroups and Edit Records isEditRecordsEnabled can inject arbitrary SQL...
CVE-2026-39329 ChurchCRM has a Blind SQL injection in EventNames.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reach...
CVE-2026-39329
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reach...
CVE-2026-39327 ChurchCRM has a SQL injection in MemberRoleChange.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles ManageGroups can inject arbitrary SQL statements through the NewRole...
CVE-2026-39327
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles ManageGroups can inject arbitrary SQL statements through the NewRole...
CVE-2026-39327
CVE-2026-39327 : ChurchCRM (open-source church management system) has a SQL injection in the /MemberRoleChange.php endpoint. The flaw affects ChurchCRM 7.0.5, prior to 7.1.0. Authenticated users with the Manage Groups & Roles (ManageGroups) permission can inject arbitrary SQL statements via the N...
EUVD-2026-19811
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description paramete...
CVE-2026-39326 ChurchCRM has a Blind SQL injection in PropertyTypeEditor.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description paramete...