CVE-2026-39329

ChurchCRM has a Blind SQL injection in EventNames.php

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reaches an ON DUPLICATE KEY UPDATE clause where unescaped user input is interpolated directly. This vulnerability is fixed in 7.1.0.

INFO

Published Date :

2026-04-07T17:33:30.119Z

Last Modified :

2026-04-07T19:59:23.647Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-39329 vulnerability.

Vendors	Products
Churchcrm	Churchcrm

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39329.

URL	Resource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-ggfm-5q4w-p93g

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact