Vulnerability Description
ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/FamilyCustomFieldsRowOps.php`. A user has to be authenticated. For `ManageGroups` privileges have to be enabled and for the other two endpoints the attack has to be executed by an administrative user. These users can inject arbitrary SQL statements through the `Field` parameter and thus modify tables from the database. This vulnerability is fixed in 7.1.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Churchcrm | Churchcrm | <= 7.0.5 |
Related Weaknesses (CWE)
References
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r53-w4r6-w62cNot Applicable
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rcExploitVendor Advisory
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rcExploitVendor Advisory
FAQ
What is CVE-2026-39318?
CVE-2026-39318 is a vulnerability with a CVSS score of 8.8 (HIGH). ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/F...
How severe is CVE-2026-39318?
CVE-2026-39318 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-39318?
Check the references section above for vendor advisories and patch information. Affected products include: Churchcrm Churchcrm.