SQL Injection Vulnerability in Church Management Software
CVE-2026-39327

8.8HIGH

Key Information:

Vendor: Churchcrm
Status: Crm
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39327?

ChurchCRM is an open-source church management system that was found to be susceptible to an SQL injection vulnerability prior to version 7.1.0. This vulnerability, located in the /MemberRoleChange.php endpoint, allows authenticated users with 'Manage Groups & Roles' permissions to inject arbitrary SQL statements through the NewRole parameter. Exploiting this flaw could enable attackers to extract and modify sensitive information within the database, potentially leading to unauthorized access or data manipulation. The security issue has been addressed and resolved in version 7.1.0. Users are encouraged to update their installations to mitigate risks.

Affected Version(s)

CRM < 7.1.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39327 Data

JSON

Churchcrm

What is CVE-2026-39327?

Affected Version(s)

References

CVSS V3.1

Timeline