Home / Vulnerability Intelligence / CVE-2026-34402

CVE-2026-34402 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: April 6, 2026

ChurchCRM - SQL Injection

Published: April 6, 2026Updated: April 6, 2026Remote Exploitable

Overview

ChurchCRM < 7.1.0 contains a time-based blind SQL injection caused by improper input handling in PropertyAssign.php, letting authenticated users with Edit Records or Manage Groups permissions exfiltrate or modify database content, exploit requires specific user permissions.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Authenticated users can exfiltrate or modify any database content, including credentials and PII, leading to full data compromise.

Mitigation

Upgrade to version 7.1.0 or later.

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r57q-r5v3-v5h8

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-34402
Severity: High
CVSS Score: 8.1
Type: sql_injection
Status: new

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N