CVE-2026-39317

HIGH NVD

CVSS Score 8.8

Severity HIGH

Published Apr 07, 2026

Vendor unknown

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in ChurchCRM's SettingsIndividual.php where user-controlled array keys from the type POST parameter are used directly in SQL queries without sanitization. This allows any authenticated user to extract sensitive data from the database. This vulnerability is fixed in 7.1.0.

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h7hg-f7cw-9xwc