Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput() which both strips HTML and escapes SQL — was replaced with sanitizeText(), which strips HTML only. User-supplied values from the Name and Description fields are concatenated directly into raw INSERT and UPDATE queries with no SQL escaping. This allows any authenticated user with the MenuOptions role (a non-admin staff permission) to perform time-based blind injection and exfiltrate any data from the database, including password hashes of all users. This vulnerability is fixed in 7.1.0.

INFO

Published Date :

2026-04-07T18:00:09.383Z

Last Modified :

2026-04-08T18:45:58.503Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39340 vulnerability.

Vendors Products
Churchcrm
  • Churchcrm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39340.

URL Resource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact