{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39327", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T19:31:07.267Z", "datePublished": "2026-04-07T17:31:37.384Z", "dateUpdated": "2026-04-07T18:39:00.851Z"}, "containers": {"cna": {"title": "ChurchCRM has a SQL injection in MemberRoleChange.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66fc-v5xj-x859", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66fc-v5xj-x859"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 7.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:31:37.384Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles (ManageGroups) can inject arbitrary SQL statements through the NewRole parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0."}], "source": {"advisory": "GHSA-66fc-v5xj-x859", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T18:37:01.582650Z", "id": "CVE-2026-39327", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:39:00.851Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39327", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T18:37:01.582650Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:38:56.923Z"}}], "cna": {"title": "ChurchCRM has a SQL injection in MemberRoleChange.php", "source": {"advisory": "GHSA-66fc-v5xj-x859", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 7.1.0"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66fc-v5xj-x859", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66fc-v5xj-x859", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles (ManageGroups) can inject arbitrary SQL statements through the NewRole parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:31:37.384Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39327", "state": "PUBLISHED", "dateUpdated": "2026-04-07T18:39:00.851Z", "dateReserved": "2026-04-06T19:31:07.267Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T17:31:37.384Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF846F61-0C1E-49AB-B691-A01937A6C24D", "versionEndExcluding": "7.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles (ManageGroups) can inject arbitrary SQL statements through the NewRole parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0."}], "id": "CVE-2026-39327", "lastModified": "2026-04-10T20:56:43.233", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:43.883", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66fc-v5xj-x859"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.0)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-10T22:43:29.565489+00:00", "value": {"mitigation_remediation": ["Apply the latest ChurchCRM release (7.1.0 or newer) to eliminate the vulnerable code.", "If an immediate upgrade is not feasible, restrict the MemberRoleChange.php endpoint to users who must legitimately have the Manage Groups & Roles role and revoke the permission from other accounts.", "Monitor application logs for unexpected or repeated SQL statements targeting the NewRole parameter to detect potential exploitation attempts.", "Review custom extensions or plugins that interact with the database to ensure they use parameterized queries and validate input before execution."], "summary": {"action": "Immediate Patch", "impact": "Data Compromise via SQL Injection"}, "threat_synthesis": {"affected_systems": "Affected systems include the ChurchCRM open\u2011source management platform, specifically the CRM product. Vulnerable releases are any versions older than 7.1.0, with 7.0.5 stated as a known affected version. Administrators should verify which version their installation is running and update accordingly.", "description_and_impact": "ChurchCRM contains a SQL injection vulnerability in the /MemberRoleChange.php endpoint that allows authenticated users with the Manage Groups & Roles role to inject arbitrary SQL statements through the NewRole parameter. This weakness, classified as CWE-89, enables attackers to read or modify database contents, potentially compromising confidentiality, integrity, and availability of church records. The vulnerability exists in versions prior to 7.1.0, specifically 7.0.5, and any earlier releases.", "risk_and_exploitability": "With a CVSS score of 8.8 the vulnerability is considered high severity, but the EPSS score of less than 1% indicates a low expected exploitation probability in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known active exploits. Exploitation requires a valid user account with the Manage Groups & Roles permission and involves sending a crafted request containing malicious SQL via the NewRole field to the MemberRoleChange.php endpoint."}}}}, "created": "2026-04-08T19:47:11.520822+00:00", "updated": "2026-04-13T14:26:39.662906+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}