CVE-2026-39327

ChurchCRM has a SQL injection in MemberRoleChange.php

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles (ManageGroups) can inject arbitrary SQL statements through the NewRole parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.

INFO

Published Date :

2026-04-07T17:31:37.384Z

Last Modified :

2026-04-07T18:39:00.851Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-39327 vulnerability.

Vendors	Products
Churchcrm	Churchcrm

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39327.

URL	Resource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66fc-v5xj-x859

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact