CVE-2026-39326
SQL Injection in ChurchCRM PropertyTypeEditor Allows Data Manipulation
Publication date: 2026-04-07
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39326 is a blind SQL injection vulnerability found in ChurchCRM version 7.0.5, specifically in the /PropertyTypeEditor.php endpoint.
Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL commands through the Name and Description parameters because these inputs are insufficiently sanitized.
The vulnerability arises because the inputs are sanitized only by a function called sanitizeText, which fails to properly escape SQL special characters, allowing attackers to manipulate SQL queries.
This allows attackers to execute unauthorized SQL statements such as INSERT or UPDATE on the propertytype_prt database table, potentially extracting, modifying, or deleting data.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete compromise of the ChurchCRM database.
- Attackers can read, modify, or delete sensitive data stored in the database.
- It can lead to privilege escalation within the application.
- There is a potential for remote code execution depending on the database configuration and SQL functions available.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the SQL injection in the /PropertyTypeEditor.php endpoint using the Name and Description POST parameters while authenticated as a user with the isMenuOptionsEnabled role.
A common approach is to use automated SQL injection testing tools such as sqlmap to send crafted POST requests with malicious payloads in these parameters to check for injection vulnerabilities.
- Use sqlmap with authentication cookies or credentials to target the /PropertyTypeEditor.php endpoint, specifying the Name and Description parameters for injection testing.
- Example command: sqlmap -u "https://yourchurchcrminstance/PropertyTypeEditor.php" --data="Name=test&Description=test&Submit=Submit" --cookie="session=your_session_cookie" -p Name,Description --level=5 --risk=3
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in ChurchCRM allows authenticated users with specific roles to extract, modify, or delete sensitive data from the database. This can lead to unauthorized access and data breaches involving personal or sensitive information stored within the system.
Such unauthorized data access and potential data manipulation can result in non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access and breaches.
Therefore, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of data, leading to violations of these common standards and regulations.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this SQL injection vulnerability has been fixed.
Until the upgrade can be performed, restrict access to the /PropertyTypeEditor.php endpoint to only trusted users and review user roles to ensure that only necessary users have the isMenuOptionsEnabled privilege.
Additionally, monitor logs for suspicious activity involving the Name and Description parameters and consider implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting this endpoint.