ChurchCRM has a SQL Injection in PropertyTypeEditor.php via Incorrect Sanitizer...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput() which both strips HTML and escapes SQL — was replaced with sanitizeText(), which strips HTML only. User-supplied values from the Name and Description fields are concatenated directly into raw INSERT and UPDATE queries with no SQL escaping. This allows any authenticated user with the MenuOptions role (a non-admin staff permission) to perform time-based blind injection and exfiltrate any data from the database, including password hashes of all users. This vulnerability is fixed in 7.1.0.

Basic Information

ID CVE-2026-39340

Source GitHub_M

Published Apr 7, 2026 at 18:00

Modified Apr 8, 2026 at 18:45

Affected Product

Vendor ChurchCRM

Product CRM

Version < 7.1.0

Affected Versions ChurchCRM CRM < 7.1.0

CWE Classification

CWE-89

References

github.com /ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9

{
    "lastseen": "",
    "description": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People \u2192 Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput() which both strips HTML and escapes SQL \u2014 was replaced with sanitizeText(), which strips HTML only. User-supplied values from the Name and Description fields are concatenated directly into raw INSERT and UPDATE queries with no SQL escaping. This allows any authenticated user with the MenuOptions role (a non-admin staff permission) to perform time-based blind injection and exfiltrate any data from the database, including password hashes of all users. This vulnerability is fixed in 7.1.0.",
    "published": "2026-04-07T18:00:09.383Z",
    "modified": "2026-04-08T18:45:58.503Z",
    "type": "cve",
    "title": "ChurchCRM has a SQL Injection in PropertyTypeEditor.php via Incorrect Sanitizer Substitution",
    "source": "GitHub_M",
    "references": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9",
    "id": "CVE-2026-39340",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "ChurchCRM CRM < 7.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "CRM",
    "version": "< 7.1.0",
    "vendor": "ChurchCRM",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

ChurchCRM has a SQL Injection in PropertyTypeEditor.php via Incorrect Sanitizer Substitution_CVE-2026-39340