CVE-2026-39329
SQL Injection in ChurchCRM EventNames.php Allows Data Manipulation
Publication date: 2026-04-07
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-39329 is a high-severity blind SQL injection vulnerability that allows authenticated users with AddEvent privileges to extract sensitive database information and potentially modify data. Such unauthorized access and data manipulation can lead to breaches of confidentiality and integrity of personal or sensitive data.
Because the vulnerability enables data disclosure and modification, it could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and alteration.
Organizations using vulnerable versions of ChurchCRM prior to 7.1.0 may face increased risk of non-compliance due to potential data breaches stemming from this SQL injection flaw.
Can you explain this vulnerability to me?
CVE-2026-39329 is a blind SQL injection vulnerability found in ChurchCRM version 7.0.5, specifically in the EventNames.php script. It affects authenticated users who have AddEvent privileges.
The vulnerability occurs when these users create event types and supply input via the newEvtTypeCntLst parameter. Although part of the input is filtered, the same input is later directly inserted into an SQL query's ON DUPLICATE KEY UPDATE clause without proper sanitization, allowing SQL injection.
This flaw enables attackers to perform blind SQL injection attacks, such as timing side-channel attacks, to extract sensitive database information despite input length restrictions.
The issue was fixed in ChurchCRM version 7.1.0.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized disclosure of sensitive data, modification of database contents, and potential denial of service.
- Confidentiality: Attackers can extract sensitive information from the database using timing attacks.
- Integrity: Attackers may manipulate or alter database data due to the ability to inject SQL commands.
- Availability: The vulnerability can be exploited to cause delays or denial of service by using payloads that trigger time-based SQL functions.
Exploitation requires only low privileges (AddEvent rights) and no user interaction, making it relatively easy for an authenticated user to abuse.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /EventNames.php endpoint for SQL injection via the newEvtTypeCntLst POST parameter during event type creation by authenticated users with AddEvent privileges.
A practical detection method involves sending crafted payloads that cause measurable delays (blind SQL injection) such as using payloads like ' OR SLEEP(5)###### in the newEvtTypeCntLst parameter and observing response times.
Since exploitation requires authentication with AddEvent privileges, detection commands should be executed in an authenticated session.
- Use curl or similar tools to send POST requests with payloads to /EventNames.php, for example:
- curl -X POST -b cookies.txt -d "newEvtTypeCntLst=0' OR SLEEP(5)######" https://yourchurchcrmserver/EventNames.php
- Measure response times to detect delays indicating SQL injection.
- Alternatively, use automated scripts (such as the referenced Python exploitation script) that log in, create event types, and send crafted payloads to detect the vulnerability via timing side channels.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this SQL injection vulnerability in EventNames.php has been fixed.
Until the upgrade can be performed, restrict AddEvent privileges to trusted users only, as exploitation requires authenticated users with these privileges.
Additionally, monitor and audit usage of the /EventNames.php endpoint for suspicious activity or unusual delays that may indicate exploitation attempts.