CVE-2026-39341
Time-Based SQL Injection in ChurchCRM Reports Endpoint
Publication date: 2026-04-07
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39341 is a high-severity time-based SQL injection vulnerability in ChurchCRM versions up to 5.19.0. It occurs because the application does not properly use sanitized input when constructing SQL queries. Specifically, the 'familyId' parameter in the endpoint Reports/ConfirmReportEmail.php is filtered but the raw input is still directly concatenated into the SQL query, allowing attackers to inject malicious SQL code.
This vulnerability allows an attacker to execute arbitrary SQL commands by injecting specially crafted input, which can cause the database to delay responses (time-based blind SQL injection) or potentially extract sensitive data.
How can this vulnerability impact me? :
This vulnerability can have significant impacts including unauthorized manipulation of the database and extraction of sensitive information. Attackers exploiting this flaw can perform SQL injection attacks that may lead to data breaches or unauthorized actions within the ChurchCRM system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the vulnerable endpoint Reports/ConfirmReportEmail.php with specially crafted input to the familyId parameter that causes a time delay in the SQL query execution.
A proof-of-concept uses a curl command to inject a time delay (SLEEP(5)) into the SQL query, which causes the database to pause for 5 seconds before responding. If the response time is significantly delayed, it confirms the presence of the time-based blind SQL injection vulnerability.
- Use a curl command similar to: curl "http://[target]/Reports/ConfirmReportEmail.php?familyId=1) OR SLEEP(5)--"
- Observe if the response time is delayed by approximately 5 seconds, indicating successful injection.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, restrict access to the vulnerable endpoint Reports/ConfirmReportEmail.php, especially limiting access to trusted users only, to reduce the risk of exploitation.
Additionally, review and improve input validation and ensure that sanitized inputs are properly used in SQL queries to prevent injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to perform time-based SQL injection, potentially extracting sensitive data or performing unauthorized actions on the database.
Such unauthorized access and data manipulation can lead to breaches of confidentiality and integrity of personal or sensitive information.
Consequently, this vulnerability could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access and ensuring data integrity.