CVE-2026-39334
SQL Injection in ChurchCRM /SettingsIndividual.php Allows Data Manipulation
Publication date: 2026-04-07
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39334 is a blind SQL injection vulnerability found in the ChurchCRM application, specifically in the endpoint /SettingsIndividual.php in versions up to 7.0.5.
Authenticated users, even without special privileges, can exploit this vulnerability by injecting arbitrary SQL statements through the type array parameter via its index.
The vulnerability arises because the array keys (indexes) of the type parameter are used directly in SQL queries without proper sanitization or escaping, allowing attackers to manipulate the database queries.
This flaw enables attackers to extract, modify, and potentially delete sensitive data from the database.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in ChurchCRM allows authenticated users to extract, modify, and delete sensitive data from the database. This can lead to unauthorized access and manipulation of personal and sensitive information stored within the system.
Such unauthorized data access and modification can result in non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access, alteration, and disclosure.
Therefore, exploitation of this vulnerability could lead to breaches of confidentiality, integrity, and availability of data, potentially causing violations of these common standards and regulations.
How can this vulnerability impact me? :
This vulnerability can lead to complete database compromise, including reading, writing, and deleting data.
- Extraction of all sensitive ChurchCRM data.
- Potential privilege escalation.
- Possible remote code execution depending on SQL functions and database configuration.
The vulnerability has a high severity with a CVSS v3 base score of 8.8, indicating a significant risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /SettingsIndividual.php endpoint for SQL injection via the type array parameter's index. Since the injection occurs through the array keys, crafted POST requests can be sent to observe if SQL injection is possible.
An example detection method involves sending POST requests with payloads like type[0 AND (SQL payload)] = "boolean" to check for blind SQL injection using time-based techniques.
A practical approach is to use a script or tool that sends such crafted POST requests and measures response delays caused by SQL functions like SLEEP(), indicating successful injection.
No specific command-line commands are provided in the resources, but using tools like curl or custom Python scripts to send POST requests with manipulated type array keys can help detect the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where the vulnerability has been fixed by properly sanitizing the type array keys.
Until the upgrade can be applied, restrict access to the /SettingsIndividual.php endpoint to trusted authenticated users and monitor for suspicious activity involving the type parameter.
Additionally, applying web application firewall (WAF) rules to detect and block SQL injection attempts targeting the type array parameter can help reduce risk.