CVE-2026-39343
SQL Injection in ChurchCRM EditEventTypes.php Allows Admin Data Manipulation
Publication date: 2026-04-07
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39343 is a high-severity SQL injection vulnerability in the ChurchCRM application, specifically in the EditEventTypes.php file accessible only to administrators.
The vulnerability occurs because the EN_tyid POST parameter is not sanitized before being used directly in a SQL query, allowing an administrator to inject arbitrary SQL commands.
This means an attacker with administrator access can manipulate the EN_tyid parameter to execute unauthorized SQL queries against the database.
How can this vulnerability impact me? :
This vulnerability allows an attacker with administrator privileges to execute arbitrary SQL commands, which can lead to several serious impacts.
- Exfiltration of the entire database, exposing sensitive data.
- Bypassing application-level security controls and user interface restrictions.
- Modification or deletion of data, affecting data integrity.
- Potential escalation of privileges from the database user to the operating system user, possibly leading to full server compromise.
- Disruption of service availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability can be detected by intercepting and modifying POST requests to the EditEventTypes.php file, specifically the EN_tyid parameter.
A common detection method is to use a proxy tool like Burp Suite to capture the POST request and inject a time-based blind SQL injection payload such as: EN_tyid=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1
If the server response is delayed by the number of seconds specified in the payload (e.g., 5 seconds), it confirms the presence of the SQL injection vulnerability.
Commands or steps to detect this include:
- Use a proxy tool (e.g., Burp Suite) to intercept the POST request to EditEventTypes.php.
- Modify the EN_tyid POST parameter to include a time-based SQL injection payload.
- Observe the server response time for delays indicating successful injection.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this SQL injection vulnerability has been fixed.
Until the upgrade can be performed, restrict administrator access to trusted users only, as exploitation requires administrator privileges.
Additionally, monitor and audit administrator actions and network traffic for suspicious activity involving the EditEventTypes.php endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in ChurchCRM allows an administrator to execute arbitrary SQL commands, potentially leading to unauthorized access, data exfiltration, and modification of sensitive information stored in the database.
Such unauthorized access and potential data breaches can compromise the confidentiality, integrity, and availability of personal and sensitive data, which are critical requirements under common standards and regulations like GDPR and HIPAA.
Therefore, if exploited, this vulnerability could lead to non-compliance with these regulations due to failure to protect personal data against unauthorized access and disclosure.