SB2026040988 - Multiple vulnerabilities in ChurchCRM

Description

This security bulletin contains information about 21 secuirty vulnerabilities.

1) SQL injection (CVE-ID: CVE-2026-35566)

The vulnerability allows a remote user to execute arbitrary SQL queries and disclose sensitive information.

The vulnerability exists due to SQL injection in src/Reports/FundRaiserStatement.php when processing a session value in an unquoted numeric SQL context. A remote user can plant a specially crafted FundRaiserID value in the session and trigger the vulnerable report to execute arbitrary SQL queries and disclose sensitive information.

Exploitation requires two HTTP requests because the payload is first stored in the session and then executed later in a different file.

2) SQL injection (CVE-ID: CVE-2026-34402)

The vulnerability allows a remote user to disclose sensitive information and modify database content.

The vulnerability exists due to SQL injection in the PropertyAssign.php endpoint when processing the Value POST parameter in property value assignment requests. A remote user can send a specially crafted request to disclose sensitive information and modify database content.

Exploitation requires a valid session and either Edit Records or Manage Groups permission.

3) SQL injection (CVE-ID: CVE-2026-39317)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in SettingsIndividual.php when handling the type POST parameter array keys in SQL queries. A remote user can send a specially crafted POST request to disclose sensitive information.

4) SQL injection (CVE-ID: CVE-2026-39318)

The vulnerability allows a remote user to execute arbitrary SQL statements.

The vulnerability exists due to SQL injection in GroupPropsFormRowOps.php when handling the Field parameter in requests. A remote user can send a specially crafted request to execute arbitrary SQL statements.

Exploitation requires a valid ChurchCRM user account with the ManageGroups permission, a target group with grp_hasSpecialProps=1, and a valid property field registered in the groupprop_master table.

5) SQL injection (CVE-ID: CVE-2026-39319)

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the /FundRaiserEditor.php endpoint and downstream fundraiser-related endpoints when processing the iCurrentFundraiser PHP session parameter. A remote user can inject a crafted FundRaiserID value that is later concatenated into SQL queries to execute arbitrary SQL commands.

The issue is second-order and is triggered after the session value is reused by endpoints including PaddleNumEditor.php, DonatedItemEditor.php, DonatedItemDelete.php, PaddleNumDelete.php, BatchWinnerEntry.php, and FundRaiserStatement.php.

6) SQL injection (CVE-ID: N/A)

The vulnerability allows a remote user to modify database tables.

The vulnerability exists due to SQL injection in GroupPropsFormRowOps.php, PersonCustomFieldsRowOps.php, and FamilyCustomFieldsRowOps.php when handling the Field parameter in ALTER TABLE queries. A remote user can send a specially crafted request to modify database tables.

Exploitation requires authentication, and the affected functionality must be enabled for group-specific properties in the group endpoint.

7) SQL injection (CVE-ID: CVE-2026-35567)

The vulnerability allows a remote user to inject arbitrary SQL.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in src/MemberRoleChange.php when handling the NewRole POST parameter. A remote user can send a specially crafted POST request to inject arbitrary SQL.

Exploitation requires a valid authenticated session with the ManageGroups role and knowledge of a valid GroupID and PersonID.

8) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-35534)

The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in PersonView.php when rendering the Facebook field in an HTML attribute context. A remote user can store a specially crafted Facebook field value to execute arbitrary JavaScript in a victim's browser.

User interaction is required when a victim views the affected person's profile page.

9) SQL injection (CVE-ID: CVE-2026-39340)

The vulnerability allows a remote user to disclose sensitive information and modify arbitrary database records.

The vulnerability exists due to SQL injection in PropertyTypeEditor.php when processing Name and Description fields in property type save requests. A remote user can send specially crafted input to disclose sensitive information and modify arbitrary database records.

Exploitation requires the MenuOptions role and can be performed through the administration functionality for managing people and family property type categories.

10) SQL injection (CVE-ID: CVE-2026-39323)

The vulnerability allows a remote user to execute arbitrary SQL commands to disclose sensitive information and modify data.

The vulnerability exists due to SQL injection in PropertyTypeEditor.php when handling the Name and Description POST parameters. A remote user can send specially crafted POST parameters to execute arbitrary SQL commands to disclose sensitive information and modify data.

Exploitation requires the Manage Properties permission, and injected data may persist in the database and be reflected across multiple application pages without output encoding.

11) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-39338)

The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser and disclose sensitive information.

The vulnerability exists due to improper neutralization of input during web page generation in the global search functionality when processing user-supplied search input. A remote attacker can send a specially crafted URL or search term to execute arbitrary script in a victim's browser and disclose sensitive information.

User interaction is required to load the crafted URL or submit the crafted search input.

12) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-39331)

The vulnerability allows a remote user to modify arbitrary family records and trigger unauthorized family operations.

The vulnerability exists due to authorization bypass through a user-controlled key in the family API endpoints in src/api/routes/people/people-family.php when handling requests with a modified {familyId} parameter. A remote user can send specially crafted API requests to modify arbitrary family records and trigger unauthorized family operations.

The affected endpoints can be used to activate or deactivate families, trigger verification actions and emails, and invoke geocoding for arbitrary families.

13) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-39328)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser and disclose session cookies.

The vulnerability exists due to cross-site scripting in the person profile editing functionality when rendering user-supplied social profile fields. A remote user can inject malicious JavaScript into the Facebook, LinkedIn, and X profile fields to execute arbitrary script in a victim's browser and disclose session cookies.

User interaction is required when another user views the attacker's profile page.

14) SQL injection (CVE-ID: CVE-2026-39325)

The vulnerability allows a remote user to execute arbitrary SQL commands and disclose or modify database information.

The vulnerability exists due to sql injection in the /SettingsUser.php endpoint when handling the POST type array parameter. A remote privileged user can send a specially crafted request to execute arbitrary SQL commands and disclose or modify database information.

The issue is blind in nature and occurs because array indexes from the type parameter are used unsafely in a database query.

15) SQL injection (CVE-ID: CVE-2026-39334)

The vulnerability allows a remote user to disclose and modify sensitive information.

The vulnerability exists due to SQL injection in the /SettingsIndividual.php endpoint when processing the POST type array parameter. A remote user can send a specially crafted request to disclose and modify sensitive information.

The issue is blind and occurs because unsanitized array indexes are incorporated into a SELECT query.

16) SQL injection (CVE-ID: CVE-2026-39326)

The vulnerability allows a remote user to extract and modify information from the database.

The vulnerability exists due to SQL injection in the /PropertyTypeEditor.php endpoint when handling POST parameters Name and Description. A remote user can send specially crafted parameter values to extract and modify information from the database.

Exploitation requires an account with the isMenuOptionsEnabled role.

17) SQL injection (CVE-ID: CVE-2026-39330)

The vulnerability allows a remote user to disclose and modify database information.

The vulnerability exists due to SQL injection in the /PropertyAssign.php endpoint when handling the Value POST parameter. A remote user can send a specially crafted request to disclose and modify database information.

Exploitation requires the Manage Groups & Roles and Edit Records permissions.

18) SQL injection (CVE-ID: CVE-2026-39329)

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in EventNames.php when handling the newEvtTypeCntLst parameter during event type creation. A remote user can send a specially crafted request to execute arbitrary SQL commands.

Exploitation is limited to users with AddEvent permissions, and the unsafe interpolation occurs in the ON DUPLICATE KEY UPDATE clause after the same input is filtered in the VALUES portion.

19) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-39336)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser session.

The vulnerability exists due to cross-site scripting in multiple ChurchCRM pages when rendering persisted configuration values inside HTML attribute contexts without attribute-safe encoding. A remote privileged user can store a specially crafted configuration value to execute arbitrary script in a victim's browser session.

User interaction is required, and exploitation occurs when another user visits an affected page that renders the stored value.

20) Observable Response Discrepancy (CVE-ID: CVE-2025-67874)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to observable response discrepancy in HTTP responses when processing user-supplied passwords. A remote privileged user can submit a password and receive it back in plaintext in the response to disclose sensitive information.

This can occur in workflows such as registration, password change or reset, and login error handling.

21) Cross-site scripting (CVE-ID: CVE-2026-39941)

The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.

The vulnerability exists due to improper neutralization of script-related HTML tags in a web page in POST parameter handling in EditEventAttendees.php when rendering attacker-supplied POST parameters in an HTML response. A remote user can send specially crafted POST parameters to execute arbitrary JavaScript in a victim's browser.

The issue may be reflected or stored depending on whether the injected value is persisted, and it affects users who view the page rendering the injected value.

Remediation

Install update from vendor's website.

References

• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-grq6-q49f-44xh
• https://github.com/advisories/GHSA-grq6-q49f-44xh
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r57q-r5v3-v5h8
• https://github.com/advisories/GHSA-r57q-r5v3-v5h8
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h7hg-f7cw-9xwc
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-vg4m-hc29-jgqj
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r53-w4r6-w62c
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5f97-jgg4-gqwr
• https://github.com/advisories/GHSA-5f97-jgg4-gqwr
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqp6-54p2-m66f
• https://github.com/advisories/GHSA-pqp6-54p2-m66f
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-vmfg-c69g-m8p8
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3ghg-qfqw-rcqf
• https://github.com/advisories/GHSA-3ghg-qfqw-rcqf
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-vwh8-x823-wjc5
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fcp5-pwvj-v7xm
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cf68-g7vf-9xrq
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8g53-72jr-39w6
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-mch7-6v8f-c4j5
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-xq86-jh52-728g
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-ggfm-5q4w-p93g
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r8cp-gg58-2r2r
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-4mqw-9jww-2c58
• https://github.com/advisories/GHSA-4mqw-9jww-2c58