#VU125707 SQL injection in ChurchCRM - CVE-2026-39326
Published: April 9, 2026
Vulnerability identifier: #VU125707
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-39326
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
ChurchCRM
ChurchCRM
Software vendor:
ChurchCRM
ChurchCRM
Description
The vulnerability allows a remote user to extract and modify information from the database.
The vulnerability exists due to SQL injection in the /PropertyTypeEditor.php endpoint when handling POST parameters Name and Description. A remote user can send specially crafted parameter values to extract and modify information from the database.
Exploitation requires an account with the isMenuOptionsEnabled role.
Remediation
Install security update from vendor's website.