SQL injection in ChurchCRM - CVE-2026-39343
Published: May 5, 2026
Vulnerability identifier: #VU129702
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-39343
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ChurchCRM
Affected software:
ChurchCRM
ChurchCRM
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary SQL commands against the database.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in EditEventTypes.php when handling the EN_tyid POST parameter. A remote privileged user can send a specially crafted POST parameter to execute arbitrary SQL commands against the database.
The vulnerable page is only accessible to administrators.
How to mitigate CVE-2026-39343
Install security update from vendor's website.