SQL injection in ChurchCRM - CVE-2026-34402
Published: April 9, 2026
Vulnerability identifier: #VU125691
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-34402
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ChurchCRM
Affected software:
ChurchCRM
ChurchCRM
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information and modify database content.
The vulnerability exists due to SQL injection in the PropertyAssign.php endpoint when processing the Value POST parameter in property value assignment requests. A remote user can send a specially crafted request to disclose sensitive information and modify database content.
Exploitation requires a valid session and either Edit Records or Manage Groups permission.
How to mitigate CVE-2026-34402
Install security update from vendor's website.