Main Vulnerability Database Vulnerabilities #VU125700

#VU125700 SQL injection in ChurchCRM - CVE-2026-39340

Published: April 9, 2026

Vulnerability identifier: #VU125700

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-39340

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ChurchCRM

Software vendor:
ChurchCRM

Description

The vulnerability allows a remote user to disclose sensitive information and modify arbitrary database records.

The vulnerability exists due to SQL injection in PropertyTypeEditor.php when processing Name and Description fields in property type save requests. A remote user can send specially crafted input to disclose sensitive information and modify arbitrary database records.

Exploitation requires the MenuOptions role and can be performed through the administration functionality for managing people and family property type categories.

Remediation

Install security update from vendor's website.

External links

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9

#VU125700 SQL injection in ChurchCRM - CVE-2026-39340

Description

Remediation

External links

Please verify you're human