CVE-2026-35184
SQL Injection in EcclesiaCRM queryview.php Allows Data Manipulation
Publication date: 2026-04-06
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ecclesiacrm | ecclesiacrm | to 8.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35184 is a critical SQL injection vulnerability in EcclesiaCRM versions prior to 8.0.0, specifically in the file src/v2/templates/query/queryview.php. The vulnerability arises because user-supplied input parameters, such as 'custom' and 'value', are improperly validated and directly incorporated into SQL queries without adequate sanitization or escaping.
This flaw allows an authenticated attacker with permission to execute database queries to inject malicious SQL code, potentially leading to unauthorized data access or manipulation.
The vulnerability was fixed by improving input validation, adding checks for parameter existence before SQL execution, restricting debug output to admin users, and enhancing error handling to prevent execution of unsafe queries.
How can this vulnerability impact me? :
This vulnerability can have severe impacts if exploited. An attacker with authenticated access and permission to run queries can perform arbitrary SQL commands, including UNION-based injections.
- Bypass authentication and gain full access to the database.
- Exfiltrate sensitive data such as user credentials, personal, financial, and pastoral information.
- Modify or delete data, impacting data integrity.
- Cause potential disruption to database availability through heavy queries or data deletion.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable file `src/v2/templates/query/queryview.php` in EcclesiaCRM versions prior to 8.0.0 and by monitoring for suspicious SQL queries involving the `custom` and `value` parameters that may indicate SQL injection attempts.
Since the vulnerability involves SQL injection via HTTP POST parameters, one way to detect exploitation attempts is to capture and analyze HTTP requests to the endpoint `/v2/query/view/{id}` for unusual or malicious SQL payloads in the `custom` and `value` parameters.
Suggested commands for detection include using network traffic capture tools like tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint, for example:
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'custom='
- Using web server logs (e.g., Apache or Nginx access logs) to search for POST requests to `/v2/query/view/` containing suspicious SQL keywords or injection patterns in parameters `custom` or `value`.
Additionally, reviewing application logs for any debug output visible only to admin users that might reveal raw SQL queries can help identify attempts or successful exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading EcclesiaCRM to version 8.0.0 or later, where this SQL injection vulnerability has been fixed.
If upgrading is not immediately possible, restrict or revoke permissions that allow users to execute database queries via the vulnerable component, especially avoiding granting query execution permissions to non-trusted users.
Avoid granting administrator or query execution permissions to users who do not require them, as the vulnerability requires authenticated access with such permissions.
Apply input validation and sanitization patches as described in the fix, which include improved input validation in the `ValidateInput()` function and checks for parameter existence before SQL execution.
Disable or remove any debug output that exposes raw SQL queries to prevent information disclosure.
Monitor and audit logs for suspicious activity targeting the vulnerable endpoint and parameters.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-35184 is a critical SQL injection vulnerability in EcclesiaCRM that allows authenticated attackers to execute arbitrary SQL commands, potentially leading to unauthorized access to sensitive data stored in the database.
Because the vulnerability enables attackers to access, modify, or exfiltrate sensitive personal, financial, and pastoral data, it poses a significant risk to data confidentiality and integrity.
Such unauthorized data access and potential data breaches can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive information.
Therefore, if exploited, this vulnerability could result in violations of these regulations due to exposure or compromise of protected data.