Main Vulnerability Database Vulnerabilities #VU125700

SQL injection in ChurchCRM - CVE-2026-39340

Published: April 9, 2026

Vulnerability identifier: #VU125700

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-39340

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ChurchCRM

Affected software:
ChurchCRM

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and modify arbitrary database records.

The vulnerability exists due to SQL injection in PropertyTypeEditor.php when processing Name and Description fields in property type save requests. A remote user can send specially crafted input to disclose sensitive information and modify arbitrary database records.

Exploitation requires the MenuOptions role and can be performed through the administration functionality for managing people and family property type categories.

How to mitigate CVE-2026-39340

Install security update from vendor's website.

Sources

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9

SQL injection in ChurchCRM - CVE-2026-39340

Detailed vulnerability description

How to mitigate CVE-2026-39340

Sources

Please verify you're human