CVE-2026-39340HIGH 8.1EPSS p13.1%

CVE-2026-39340CVE-2026-39340

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput() which both strips HTML and escapes SQL — was replaced with sanitizeText(), which strips HTML only. User-supplied values from the Name and Description fields are concatenated directly into raw INSERT and UPDATE queries with no SQL escaping. This allows any authenticated user with the MenuOptions role (a non-admin staff permission) to perform time-based blind injection and exfiltrate any data from the database, including password hashes of all users. This vulnerability is fixed in 7.1.0.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.23% probability of exploitation · percentile 13.1% · 2026-06-19T12:03:05Z
Published2026-04-07
Last modified2026-04-09

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9
  2. https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-39326
CVE
CVE-2026-39330
CVE
CVE-2026-39318
CVE
CVE-2026-39334
CVE
CVE-2026-39341
CVE
CVE-2026-39327
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.