Executive Summary

CVE-2026-39329 is a blind SQL injection vulnerability found in ChurchCRM version 7.0.5, specifically in the EventNames.php script. It affects authenticated users who have AddEvent privileges.

The vulnerability occurs when these users create event types and supply input via the newEvtTypeCntLst parameter. Although part of the input is filtered, the same input is later directly inserted into an SQL query's ON DUPLICATE KEY UPDATE clause without proper sanitization, allowing SQL injection.

This flaw enables attackers to perform blind SQL injection attacks, such as timing side-channel attacks, to extract sensitive database information despite input length restrictions.

The issue was fixed in ChurchCRM version 7.1.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized disclosure of sensitive data, modification of database contents, and potential denial of service.

• Confidentiality: Attackers can extract sensitive information from the database using timing attacks.
• Integrity: Attackers may manipulate or alter database data due to the ability to inject SQL commands.
• Availability: The vulnerability can be exploited to cause delays or denial of service by using payloads that trigger time-based SQL functions.

Exploitation requires only low privileges (AddEvent rights) and no user interaction, making it relatively easy for an authenticated user to abuse.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-39329 is a high-severity blind SQL injection vulnerability that allows authenticated users with AddEvent privileges to extract sensitive database information and potentially modify data. Such unauthorized access and data manipulation can lead to breaches of confidentiality and integrity of personal or sensitive data.

Because the vulnerability enables data disclosure and modification, it could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and alteration.

Organizations using vulnerable versions of ChurchCRM prior to 7.1.0 may face increased risk of non-compliance due to potential data breaches stemming from this SQL injection flaw.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the /EventNames.php endpoint for SQL injection via the newEvtTypeCntLst POST parameter during event type creation by authenticated users with AddEvent privileges.

A practical detection method involves sending crafted payloads that cause measurable delays (blind SQL injection) such as using payloads like ' OR SLEEP(5)###### in the newEvtTypeCntLst parameter and observing response times.

Since exploitation requires authentication with AddEvent privileges, detection commands should be executed in an authenticated session.

• Use curl or similar tools to send POST requests with payloads to /EventNames.php, for example:
• curl -X POST -b cookies.txt -d "newEvtTypeCntLst=0' OR SLEEP(5)######" https://yourchurchcrmserver/EventNames.php
• Measure response times to detect delays indicating SQL injection.
• Alternatively, use automated scripts (such as the referenced Python exploitation script) that log in, create event types, and send crafted payloads to detect the vulnerability via timing side channels.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this SQL injection vulnerability in EventNames.php has been fixed.

Until the upgrade can be performed, restrict AddEvent privileges to trusted users only, as exploitation requires authenticated users with these privileges.

Additionally, monitor and audit usage of the /EventNames.php endpoint for suspicious activity or unusual delays that may indicate exploitation attempts.

Useful 0 Not Useful 0