Home / Vulnerability Intelligence / CVE-2026-39323

CVE-2026-39323 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 7, 2026

ChurchCRM - SQL Injection

Published: April 7, 2026Updated: April 7, 2026Remote Exploitable

Overview

ChurchCRM < 7.1.0 contains a SQL injection caused by insufficient sanitization of Name and Description POST parameters in PropertyTypeEditor.php, letting authenticated users with Manage Properties permission execute arbitrary SQL commands, exploit requires Manage Properties permission.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Authenticated users can execute arbitrary SQL commands, leading to data exfiltration, modification, and deletion.

Mitigation

Upgrade to version 7.1.0 or later.

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-vmfg-c69g-m8p8

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-39323
Severity: High
CVSS Score: 8.8
Type: sql_injection
Status: new

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H