CVE-2026-35566
Received Received - Intake

Critical SQL Injection in ChurchCRM FundRaiserStatement Component

Vulnerability report for CVE-2026-35566, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-07

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39319. Reason: This candidate is a duplicate of CVE-2026-39319. Notes: All CVE users should reference CVE-2026-39319 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-07
Last Modified
2026-04-07
Generated
2026-07-06
AI Q&A
2026-04-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
churchcrm churchcrm to 7.1.0 (exc)
churchcrm churchcrm 7.1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-35566 is a critical SQL injection vulnerability in ChurchCRM versions 7.0.5 and earlier. It occurs because a session variable ($_SESSION['iCurrentFundraiser']) is used directly in an SQL query without proper integer validation or quoting. The input originates from a GET parameter 'FundRaiserID' that is filtered without enforcing it as an integer, allowing malicious input to be injected into the SQL query.

This vulnerability allows an attacker to manipulate the SQL query structure by injecting malicious payloads, leading to unauthorized data access or modification.

Impact Analysis

An authenticated attacker exploiting this vulnerability can extract sensitive data such as administrator usernames and password hashes, execute arbitrary SQL queries, bypass authentication, and manipulate or delete database records.

Detection Guidance

This vulnerability can be detected by observing unusual behavior related to the FundRaiserID parameter in HTTP requests and by testing for SQL injection in the session variable $_SESSION['iCurrentFundraiser'] used in SQL queries.

A practical detection method involves sending crafted HTTP requests to the FundRaiserEditor.php endpoint with malicious payloads in the FundRaiserID parameter to see if the system is vulnerable to SQL injection.

For example, you can use curl commands to test for time-based blind SQL injection by injecting payloads that cause delays if the injection is successful.

  • curl -i "http://yourchurchcrmserver/FundRaiserEditor.php?FundRaiserID=1+UNION+SELECT+0,0,0,0,usr_UserName,usr_Password,usr_Style,0,usr_apiKey,CHAR(48),CHAR(48),CHAR(48),CHAR(48),CHAR(48),CHAR(48)+FROM+user_usr+WHERE+usr_per_ID=1+AND+(SELECT+SLEEP(2))--"

If the HTTP response is delayed by approximately 2 seconds, it indicates the presence of the SQL injection vulnerability.

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade ChurchCRM to version 7.1.0 or later where the issue is fixed.

If upgrading is not immediately possible, apply the following code changes to enforce integer validation and casting:

  • In src/FundRaiserEditor.php, specify the 'int' type when filtering input: $iFundRaiserID = InputUtils::legacyFilterInputArr($_GET, 'FundRaiserID', 'int');
  • In src/Reports/FundRaiserStatement.php, cast the session variable to integer before use: $iFundRaiserID = (int) $_SESSION['iCurrentFundraiser'];

These changes ensure that the FundRaiserID is properly validated as an integer, preventing malicious SQL injection payloads from being executed.

Additionally, restrict access to authenticated users only and monitor logs for suspicious activity related to FundRaiserID parameters.

Compliance Impact

This SQL injection vulnerability allows authenticated attackers to extract sensitive data such as admin usernames, password hashes, and database structure. Such unauthorized access and potential data breaches can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.

By enabling attackers to bypass authentication and manipulate or delete database records, the vulnerability increases the risk of data integrity and confidentiality violations, further impacting compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35566. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart