SQL Injection Vulnerability in ChurchCRM Open-Source Church Management System
CVE-2026-39340

8.1HIGH

Key Information:

Vendor: Churchcrm
Status: Crm
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39340?

A SQL injection vulnerability exists in ChurchCRM, an open-source church management system, prior to version 7.1.0. The flaw arises from the replacement of legacyFilterInput() with sanitizeText(), allowing user inputs from the Name and Description fields to directly influence raw SQL queries without adequate escaping. This grants any authenticated user with MenuOptions role the ability to perform time-based blind SQL injection, potentially leading to unauthorized access and exfiltration of sensitive data, including user password hashes. A patch is available in version 7.1.0 to rectify this serious security issue.

Affected Version(s)

CRM < 7.1.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39340 Data

JSON

Churchcrm

What is CVE-2026-39340?

Affected Version(s)

References

CVSS V3.1

Timeline