#VU125701 SQL injection in ChurchCRM - CVE-2026-39323
Published: April 9, 2026
Vulnerability identifier: #VU125701
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-39323
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
ChurchCRM
ChurchCRM
Software vendor:
ChurchCRM
ChurchCRM
Description
The vulnerability allows a remote user to execute arbitrary SQL commands to disclose sensitive information and modify data.
The vulnerability exists due to SQL injection in PropertyTypeEditor.php when handling the Name and Description POST parameters. A remote user can send specially crafted POST parameters to execute arbitrary SQL commands to disclose sensitive information and modify data.
Exploitation requires the Manage Properties permission, and injected data may persist in the database and be reflected across multiple application pages without output encoding.
Remediation
Install security update from vendor's website.