{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39330", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T20:28:38.392Z", "datePublished": "2026-04-07T17:34:30.429Z", "dateUpdated": "2026-04-07T18:09:08.271Z"}, "containers": {"cna": {"title": "ChurchCRM has a Blind SQL injection in PropertyAssign.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-xq86-jh52-728g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-xq86-jh52-728g"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 7.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:34:30.429Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) can inject arbitrary SQL statements through the Value parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0."}], "source": {"advisory": "GHSA-xq86-jh52-728g", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-xq86-jh52-728g", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T18:08:55.581388Z", "id": "CVE-2026-39330", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:09:08.271Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39330", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T18:08:55.581388Z"}}}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-xq86-jh52-728g", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:08:50.169Z"}}], "cna": {"title": "ChurchCRM has a Blind SQL injection in PropertyAssign.php", "source": {"advisory": "GHSA-xq86-jh52-728g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 7.1.0"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-xq86-jh52-728g", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-xq86-jh52-728g", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) can inject arbitrary SQL statements through the Value parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:34:30.429Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39330", "state": "PUBLISHED", "dateUpdated": "2026-04-07T18:09:08.271Z", "dateReserved": "2026-04-06T20:28:38.392Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T17:34:30.429Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF846F61-0C1E-49AB-B691-A01937A6C24D", "versionEndExcluding": "7.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) can inject arbitrary SQL statements through the Value parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0."}], "id": "CVE-2026-39330", "lastModified": "2026-04-10T20:55:50.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:44.327", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-xq86-jh52-728g"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-xq86-jh52-728g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.0)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-10T22:42:43.849252+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version 7.1.0 or later"], "summary": {"action": "Patch", "impact": "Database Compromise"}, "threat_synthesis": {"affected_systems": "ChurchCRM version 7.0.x and earlier are affected. The vulnerability is present in the ChurchCRM open\u2011source church management system before the 7.1.0 release. Only users with the Manage Groups & Roles role and the permission to edit records can exploit the flaw.", "description_and_impact": "A blind SQL injection flaw exists in the PropertyAssign.php endpoint of ChurchCRM, allowing certain authenticated users to inject arbitrary SQL through the Value parameter. The vulnerability can be used to read sensitive data or modify the database, potentially leaking confidential church records or altering membership information. It is a classic input validation weakness listed as CWE\u201189, which can lead to significant confidentiality and integrity violations.", "risk_and_exploitability": "The CVSS v3 score of 8.8 indicates high severity. The EPSS score is below 1%, suggesting that current exploitation attempts are rare, and the vulnerability is not in CISA\u2019s KEV catalog. The likely attack path requires an authenticated session with the appropriate role; an attacker must first log in to the web interface and then send a crafted request to PropertyAssign.php. With this access, the SQL injection can be leveraged to read or alter database contents."}}}}, "created": "2026-04-08T19:47:08.271680+00:00", "updated": "2026-04-13T14:26:36.336447+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}