Main Vulnerability Database Vulnerabilities #VU125710

SQL injection in ChurchCRM - CVE-2026-39329

Published: April 9, 2026

Vulnerability identifier: #VU125710

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-39329

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ChurchCRM

Affected software:
ChurchCRM

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in EventNames.php when handling the newEvtTypeCntLst parameter during event type creation. A remote user can send a specially crafted request to execute arbitrary SQL commands.

Exploitation is limited to users with AddEvent permissions, and the unsafe interpolation occurs in the ON DUPLICATE KEY UPDATE clause after the same input is filtered in the VALUES portion.

How to mitigate CVE-2026-39329

Install security update from vendor's website.

Sources

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-ggfm-5q4w-p93g

SQL injection in ChurchCRM - CVE-2026-39329

Detailed vulnerability description

How to mitigate CVE-2026-39329

Sources

Please verify you're human