{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39318", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T19:31:07.266Z", "datePublished": "2026-04-07T17:27:51.450Z", "dateUpdated": "2026-04-09T17:25:34.147Z"}, "containers": {"cna": {"title": "ChurchCRM has a DDL SQL Injection in GroupPropsFormRowOps.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r53-w4r6-w62c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r53-w4r6-w62c"}, {"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc", "tags": ["x_refsource_MISC"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 7.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:25:34.147Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/FamilyCustomFieldsRowOps.php`. A user has to be authenticated. For `ManageGroups` privileges have to be enabled and for the other two endpoints the attack has to be executed by an administrative user. These users can inject arbitrary SQL statements through the `Field` parameter and thus modify tables from the database. This vulnerability is fixed in 7.1.0."}], "source": {"advisory": "GHSA-j3vj-59vv-h4rc", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:46:28.790516Z", "id": "CVE-2026-39318", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:46:33.913Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39318", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T18:46:28.790516Z"}}}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:46:22.327Z"}}], "cna": {"title": "ChurchCRM has a DDL SQL Injection in GroupPropsFormRowOps.php", "source": {"advisory": "GHSA-j3vj-59vv-h4rc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 7.1.0"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, the GroupPropsFormRowOps.php file contains a SQL injection vulnerability. User input in the Field parameter is directly inserted into SQL queries without proper sanitization. The mysqli_real_escape_string() function does not escape backtick characters, allowing attackers to break out of SQL identifier context and execute arbitrary SQL statements. This vulnerability is fixed in 7.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:27:51.450Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39318", "state": "PUBLISHED", "dateUpdated": "2026-04-08T18:46:33.913Z", "dateReserved": "2026-04-06T19:31:07.266Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T17:27:51.450Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DD42DAF-385C-4BEB-B5B9-50838CEA9D2E", "versionEndIncluding": "7.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/FamilyCustomFieldsRowOps.php`. A user has to be authenticated. For `ManageGroups` privileges have to be enabled and for the other two endpoints the attack has to be executed by an administrative user. These users can inject arbitrary SQL statements through the `Field` parameter and thus modify tables from the database. This vulnerability is fixed in 7.1.0."}], "id": "CVE-2026-39318", "lastModified": "2026-04-15T20:20:24.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:42.810", "references": [{"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r53-w4r6-w62c"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.0)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-09T19:35:09.867478+00:00", "value": {"mitigation_remediation": ["Apply the ChurchCRM patch that upgrades to version 7.1.0 or later", "If a patch cannot be applied immediately, restrict access to the GroupPropsFormRowOps.php, PersonCustomFieldsRowOps.php, and FamilyCustomFieldsRowOps.php endpoints to users with administrative privileges only and remove any unnecessary privileges from other users", "Ensure that all user credentials are strong and that multi\u2011factor authentication is enabled to reduce the risk of unauthorized login"], "summary": {"action": "Patch ASAP", "impact": "Uncontrolled SQL injection allowing arbitrary database modification by authenticated users"}, "threat_synthesis": {"affected_systems": "All ChurchCRM installations running any version prior to 7.1.0 are affected. The vulnerability applies to the server\u2011side script that handles group, person custom field, and family custom field operations.", "description_and_impact": "ChurchCRM, an open\u2011source church management system, contains an SQL injection flaw in the GroupPropsFormRowOps.php, PersonCustomFieldsRowOps.php, and FamilyCustomFieldsRowOps.php endpoints. Attackers authenticated as users with ManageGroups privileges (or administrative users for the other two endpoints) can supply malicious content in the Field parameter, which is interpolated directly into SQL statements. This enables the attacker to insert, update, or delete rows in arbitrary database tables, compromising the integrity and confidentiality of church data and potentially giving the attacker a foothold for further exploitation.", "risk_and_exploitability": "The CVSS score of 8.8 classifies this vulnerability as high severity. EPSS indicates a very low probability of exploitation, and it is not currently listed in CISA\u2019s KEV catalog. Exploitation requires authentication and sufficient privileges, meaning the attacker must first obtain valid credentials or elevate privileges. Nevertheless, once authenticated, the attack path is straightforward: a crafted request to the vulnerable endpoint with a malicious Field value will execute arbitrary SQL."}}}}, "created": "2026-04-08T19:47:15.900068+00:00", "updated": "2026-04-10T09:41:22.204240+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}