Main Vulnerability Database Vulnerabilities #VU125710

#VU125710 SQL injection in ChurchCRM - CVE-2026-39329

Published: April 9, 2026

Vulnerability identifier: #VU125710

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-39329

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ChurchCRM

Software vendor:
ChurchCRM

Description

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in EventNames.php when handling the newEvtTypeCntLst parameter during event type creation. A remote user can send a specially crafted request to execute arbitrary SQL commands.

Exploitation is limited to users with AddEvent permissions, and the unsafe interpolation occurs in the ON DUPLICATE KEY UPDATE clause after the same input is filtered in the VALUES portion.

Remediation

Install security update from vendor's website.

External links

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-ggfm-5q4w-p93g

#VU125710 SQL injection in ChurchCRM - CVE-2026-39329

Description

Remediation

External links

Please verify you're human