Vulnerability Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput() which both strips HTML and escapes SQL — was replaced with sanitizeText(), which strips HTML only. User-supplied values from the Name and Description fields are concatenated directly into raw INSERT and UPDATE queries with no SQL escaping. This allows any authenticated user with the MenuOptions role (a non-admin staff permission) to perform time-based blind injection and exfiltrate any data from the database, including password hashes of all users. This vulnerability is fixed in 7.1.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Churchcrm | Churchcrm | < 7.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9Third Party Advisory
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9Third Party Advisory
FAQ
What is CVE-2026-39340?
CVE-2026-39340 is a vulnerability with a CVSS score of 8.1 (HIGH). ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property typ...
How severe is CVE-2026-39340?
CVE-2026-39340 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-39340?
Check the references section above for vendor advisories and patch information. Affected products include: Churchcrm Churchcrm.