SQL injection in ChurchCRM - #VU125680
Published: April 9, 2026
Vulnerability identifier: #VU125680
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ChurchCRM
Affected software:
ChurchCRM
ChurchCRM
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in QueryView.php when processing the searchstring POST parameter in stored query templates. A remote attacker can send a specially crafted POST request to execute arbitrary SQL commands.
The issue is reachable through the reporting query menu, including the default Advanced Search stored query with QueryID 15.
Remediation
Install security update from vendor's website.