{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35184", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T17:26:21.134Z", "datePublished": "2026-04-06T19:21:22.597Z", "dateUpdated": "2026-04-07T19:25:50.870Z"}, "containers": {"cna": {"title": "EcclesiaCRM has a Critical SQL Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/phili67/ecclesiacrm/security/advisories/GHSA-gjw3-73q9-v2qh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/phili67/ecclesiacrm/security/advisories/GHSA-gjw3-73q9-v2qh"}, {"name": "https://github.com/phili67/ecclesiacrm/pull/2861", "tags": ["x_refsource_MISC"], "url": "https://github.com/phili67/ecclesiacrm/pull/2861"}, {"name": "https://github.com/phili67/ecclesiacrm/commit/f743b97f89da469a4c70b82bd61d0a59a3a957a9", "tags": ["x_refsource_MISC"], "url": "https://github.com/phili67/ecclesiacrm/commit/f743b97f89da469a4c70b82bd61d0a59a3a957a9"}, {"name": "https://gist.github.com/NicolasPauferro/d877992327592f1e8eb4e2c9dce1ae9b", "tags": ["x_refsource_MISC"], "url": "https://gist.github.com/NicolasPauferro/d877992327592f1e8eb4e2c9dce1ae9b"}], "affected": [{"vendor": "phili67", "product": "ecclesiacrm", "versions": [{"version": "< 8.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:21:22.597Z"}, "descriptions": [{"lang": "en", "value": "EcclesiaCRM is CRM Software for church management. Prior to 8.0.0, there is a SQL injection vulnerability in v2/templates/query/queryview.php via the custom and value parameters. This vulnerability is fixed in 8.0.0."}], "source": {"advisory": "GHSA-gjw3-73q9-v2qh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T19:24:22.399143Z", "id": "CVE-2026-35184", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:25:50.870Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-35184", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T19:24:22.399143Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:25:45.711Z"}}], "cna": {"title": "EcclesiaCRM has a Critical SQL Injection", "source": {"advisory": "GHSA-gjw3-73q9-v2qh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "phili67", "product": "ecclesiacrm", "versions": [{"status": "affected", "version": "< 8.0.0"}]}], "references": [{"url": "https://github.com/phili67/ecclesiacrm/security/advisories/GHSA-gjw3-73q9-v2qh", "name": "https://github.com/phili67/ecclesiacrm/security/advisories/GHSA-gjw3-73q9-v2qh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/phili67/ecclesiacrm/pull/2861", "name": "https://github.com/phili67/ecclesiacrm/pull/2861", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/phili67/ecclesiacrm/commit/f743b97f89da469a4c70b82bd61d0a59a3a957a9", "name": "https://github.com/phili67/ecclesiacrm/commit/f743b97f89da469a4c70b82bd61d0a59a3a957a9", "tags": ["x_refsource_MISC"]}, {"url": "https://gist.github.com/NicolasPauferro/d877992327592f1e8eb4e2c9dce1ae9b", "name": "https://gist.github.com/NicolasPauferro/d877992327592f1e8eb4e2c9dce1ae9b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "EcclesiaCRM is CRM Software for church management. Prior to 8.0.0, there is a SQL injection vulnerability in v2/templates/query/queryview.php via the custom and value parameters. This vulnerability is fixed in 8.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:21:22.597Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35184", "state": "PUBLISHED", "dateUpdated": "2026-04-07T19:25:50.870Z", "dateReserved": "2026-04-01T17:26:21.134Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T19:21:22.597Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ecclesiacrm:ecclesiacrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "C238F748-4527-41E8-AC67-08153E13430B", "versionEndExcluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EcclesiaCRM is CRM Software for church management. Prior to 8.0.0, there is a SQL injection vulnerability in v2/templates/query/queryview.php via the custom and value parameters. This vulnerability is fixed in 8.0.0."}], "id": "CVE-2026-35184", "lastModified": "2026-04-16T04:35:50.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T20:16:26.880", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/NicolasPauferro/d877992327592f1e8eb4e2c9dce1ae9b"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/phili67/ecclesiacrm/commit/f743b97f89da469a4c70b82bd61d0a59a3a957a9"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/phili67/ecclesiacrm/pull/2861"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/phili67/ecclesiacrm/security/advisories/GHSA-gjw3-73q9-v2qh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ecclesiacrm", "source": "cna", "vendor": "phili67"}, "product": "ecclesiacrm", "vendor": "phili67"}], "analysis": {"en": {"generated_at": "2026-04-07T01:37:49.205690+00:00", "value": {"mitigation_remediation": ["Apply version 8.0.0 or later of EcclesiaCRM to remove the flaw.", "If an immediate update is not possible, restrict or block external access to the /v2/templates/query/queryview.php endpoint and enforce strict input validation on \"custom\" and \"value\" parameters."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection enabling unauthorized database manipulation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects EcclesiaCRM installations running any version before 8.0.0. No additional version specifics are listed, so any release older than 8.0.0 is considered at risk.", "description_and_impact": "EcclesiaCRM versions prior to 8.0.0 contain a SQL injection flaw in v2/templates/query/queryview.php. The flaw originates from unsanitized \"custom\" and \"value\" parameters, allowing an attacker to inject arbitrary SQL. This can lead to data disclosure, modification, or potential privilege escalation within the application.", "risk_and_exploitability": "The CVSS score of 8.7 indicates high severity, while EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by accessing the vulnerable endpoint through web requests with crafted parameters, potentially achieving full database compromise. The path requires only the ability to send HTTP requests to the application, making it readily exploitable in accessible environments."}}}}, "created": "2026-04-07T06:54:26.834489+00:00", "updated": "2026-04-07T09:37:29.045626+00:00", "vendors": ["phili67", "phili67$PRODUCT$ecclesiacrm"]}