Main Vulnerability Database Vulnerabilities #VU125705

SQL injection in ChurchCRM - CVE-2026-39325

Published: April 9, 2026

Vulnerability identifier: #VU125705

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-39325

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ChurchCRM

Affected software:
ChurchCRM

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary SQL commands and disclose or modify database information.

The vulnerability exists due to sql injection in the /SettingsUser.php endpoint when handling the POST type array parameter. A remote privileged user can send a specially crafted request to execute arbitrary SQL commands and disclose or modify database information.

The issue is blind in nature and occurs because array indexes from the type parameter are used unsafely in a database query.

How to mitigate CVE-2026-39325

Install security update from vendor's website.

Sources

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cf68-g7vf-9xrq

SQL injection in ChurchCRM - CVE-2026-39325

Detailed vulnerability description

How to mitigate CVE-2026-39325

Sources

Please verify you're human