Main Vulnerability Database Vulnerabilities #VU125701

SQL injection in ChurchCRM - CVE-2026-39323

Published: April 9, 2026

Vulnerability identifier: #VU125701

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-39323

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ChurchCRM

Affected software:
ChurchCRM

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary SQL commands to disclose sensitive information and modify data.

The vulnerability exists due to SQL injection in PropertyTypeEditor.php when handling the Name and Description POST parameters. A remote user can send specially crafted POST parameters to execute arbitrary SQL commands to disclose sensitive information and modify data.

Exploitation requires the Manage Properties permission, and injected data may persist in the database and be reflected across multiple application pages without output encoding.

How to mitigate CVE-2026-39323

Install security update from vendor's website.

Sources

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-vmfg-c69g-m8p8

SQL injection in ChurchCRM - CVE-2026-39323

Detailed vulnerability description

How to mitigate CVE-2026-39323

Sources

Please verify you're human