Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through the iCurrentFundraiser PHP session parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.

INFO

Published Date :

2026-04-07T18:05:18.331Z

Last Modified :

2026-04-08T14:39:12.132Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39319 vulnerability.

Vendors Products
Churchcrm
  • Churchcrm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39319.

URL Resource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-vg4m-hc29-jgqj cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact