ChurchCRM has a Second Order SQLI via FundRaiserEditor.php_CVE-2026-39319

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through the iCurrentFundraiser PHP session parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.

Basic Information

ID CVE-2026-39319

Source GitHub_M

Published Apr 7, 2026 at 18:05

Modified Apr 8, 2026 at 14:39

Affected Product

Vendor ChurchCRM

Product CRM

Version < 7.1.0

Affected Versions ChurchCRM CRM < 7.1.0

CWE Classification

CWE-89

References

github.com /ChurchCRM/CRM/security/advisories/GHSA-vg4m-hc29-jgqj

{
    "lastseen": "",
    "description": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through the iCurrentFundraiser PHP session parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.",
    "published": "2026-04-07T18:05:18.331Z",
    "modified": "2026-04-08T14:39:12.132Z",
    "type": "cve",
    "title": "ChurchCRM has a Second Order SQLI via FundRaiserEditor.php",
    "source": "GitHub_M",
    "references": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-vg4m-hc29-jgqj",
    "id": "CVE-2026-39319",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "ChurchCRM CRM < 7.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "CRM",
    "version": "< 7.1.0",
    "vendor": "ChurchCRM",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}