ChurchCRM Fixed Two SQL Injection Flaws in Property and Fundraiser Functions
ChurchCRM fixed two SQL injection vulnerabilities affecting versions prior to 7.1.0, both of which could be exploited by authenticated users with low privileges to access or alter backend data. One flaw, tracked as CVE-2026-34402, was a time-based blind SQL injection in PropertyAssign.php that could be abused by users with Edit Records or Manage Groups permissions to exfiltrate or modify arbitrary database content, including user credentials, personally identifiable information, and configuration secrets.
A second flaw, CVE-2026-35566, affected src/Reports/FundRaiserStatement.php, where an unquoted $_SESSION['iCurrentFundraiser'] value was used in a numeric SQL context without integer validation after being set through src/FundRaiserEditor.php. The issue carried critical impact because it could compromise confidentiality, integrity, and availability, while both vulnerabilities were classified as CWE-89 and addressed in ChurchCRM 7.1.0 through published GitHub security advisories.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-39342 disclosed for ChurchCRM QueryView.php
CVE-2026-39342 was publicly documented as a SQL injection vulnerability in ChurchCRM's QueryView.php via the searchwhat parameter when QueryID=15 is used. The issue affected versions prior to 7.1.0, required an authenticated user with access to the Advanced Search query, and was reported as fixed in version 7.1.0.
CVE-2026-39329 disclosed for ChurchCRM EventNames.php
CVE-2026-39329 was publicly documented as a blind SQL injection vulnerability in ChurchCRM's /EventNames.php endpoint, where authenticated users with AddEvent privileges could inject SQL via the newEvtTypeCntLst parameter during event type creation. The issue affected versions prior to 7.1.0 and was reported as fixed in version 7.1.0 with a related GitHub security advisory.
CVE-2026-39319 disclosed for ChurchCRM FundRaiserEditor.php
CVE-2026-39319 was publicly documented as a second-order SQL injection vulnerability in ChurchCRM's FundRaiserEditor.php endpoint via the iCurrentFundraiser session parameter. The issue affected versions prior to 7.1.0, could be exploited by an authenticated user without special privileges, and was reported as fixed in version 7.1.0.
CVE-2026-39317 disclosed for ChurchCRM SettingsIndividual.php
CVE-2026-39317 was publicly documented as a SQL injection vulnerability in ChurchCRM's SettingsIndividual.php, where unsanitized user-controlled array keys from the POST parameter type were used directly in SQL queries. The issue affected versions prior to 7.1.0, could be exploited by any authenticated user to extract sensitive database data, and was reported as fixed in version 7.1.0.
CVE-2026-39318 disclosed for ChurchCRM GroupPropsFormRowOps.php
CVE-2026-39318 was publicly documented as a SQL injection vulnerability in ChurchCRM's GroupPropsFormRowOps.php, where the Field parameter could break out of SQL identifier context because backticks were not safely handled. The issue affected versions prior to 7.1.0 and was reported as fixed in version 7.1.0; the CVE entry was received by GitHub on 2026-04-07.
CVE-2026-35566 disclosed for ChurchCRM FundRaiserStatement.php
CVE-2026-35566 was publicly documented as a critical SQL injection vulnerability in ChurchCRM's FundRaiserStatement.php, caused by unsafe use of an unquoted session value without integer validation. The issue was reported as fixed in version 7.1.0 and referenced by a GitHub security advisory.
CVE-2026-35567 disclosed for ChurchCRM MemberRoleChange.php
CVE-2026-35567 was publicly documented as a critical SQL injection vulnerability in ChurchCRM's src/MemberRoleChange.php caused by improper integer validation of the NewRole POST parameter. The issue affected versions prior to 7.1.0, required an authenticated session with ManageGroups privileges, and was reported as fixed in version 7.1.0.
GitHub receives and publishes advisory for CVE-2026-34402
A new vulnerability entry for CVE-2026-34402 was received by security-advisories@github.com on April 6, 2026. The advisory described a time-based blind SQL injection in ChurchCRM's PropertyAssign.php endpoint exploitable by authenticated users with sufficient permissions.
ChurchCRM fixes two SQL injection flaws in version 7.1.0
ChurchCRM remediated multiple SQL injection vulnerabilities, including a time-based blind SQL injection in PropertyAssign.php and an SQL injection in FundRaiserStatement.php, by releasing version 7.1.0. Both issues affected versions prior to 7.1.0.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
CVE-2026-39319 - ChurchCRM has a Second Order SQLI via FundRaiserEditor.php
cvefeed.io
Open sourceCVE-2026-35566 - ChurchCRM has a SQL Injection via Unquoted Session Value in FundRaiserStatement.php
cvefeed.io
Open sourceCVE-2026-35567 - SQL Injection in MemberRoleChange.php
cvefeed.io
Open sourceCVE-2026-39318 - ChurchCRM has a DDL SQL Injection in GroupPropsFormRowOps.php
cvefeed.io
Open sourceCVE-2026-39330 - ChurchCRM has a Blind SQL injection in PropertyAssign.php
cvefeed.io
Open sourceCVE-2026-39327 - ChurchCRM has a SQL injection in MemberRoleChange.php
cvefeed.io
Open sourceCVE-2026-39329 - ChurchCRM has a Blind SQL injection in EventNames.php
cvefeed.io
Open sourceCVE-2026-34402 - Time Based Blind SQL Injection via Property Value in ChurchCRM
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple SuiteCRM Vulnerabilities Allowing SQL Injection, Privilege Escalation, and Access Control Bypass
SuiteCRM, an open-source enterprise CRM platform, was found to contain several critical vulnerabilities affecting versions 7.14.7 and prior, as well as 8.0.0-beta.1 through 8.9.0. These flaws include time-based blind SQL injection, authenticated SQL injection in the Reschedule Call module, privilege escalation via improper session invalidation and inactive user bypass, and inconsistent RBAC enforcement that enables access control bypass. Attackers exploiting these vulnerabilities could extract sensitive data, escalate privileges, or gain unauthorized access to restricted modules and data. All issues are addressed in SuiteCRM versions 7.14.8 and 8.9.1. The SQL injection vulnerabilities allow authenticated users to infer or exfiltrate database contents, potentially compromising the confidentiality and integrity of stored information. The privilege escalation flaw permits inactive users with active sessions to reactivate their accounts and maintain unauthorized access, undermining administrative controls. Additionally, inconsistent role-based access control enforcement allows low-privileged users to view and create work items in modules that should be inaccessible. Organizations using affected SuiteCRM versions are strongly advised to upgrade to the latest patched releases to mitigate these risks.
Mar 21, 2026
SQL Injection Flaws Expose SourceCodester and CodeAstro Management Apps
MITRE has published two high-severity SQL injection vulnerabilities affecting widely available PHP-based management applications: **SourceCodester Payroll Management and Information System v1.0** and **CodeAstro Simple Attendance Management System v1.0**. The SourceCodester issue, tracked as `CVE-2026-37347`, affects `/payroll/view_employee.php` and is classified as `CWE-89`; its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` indicates remote exploitation with no privileges or user interaction required, with high impact to confidentiality and integrity. The CodeAstro flaw, `CVE-2026-37749`, is also a `CWE-89` SQL injection bug and affects `index.php`, where the `username` parameter can be abused by remote, unauthenticated attackers to bypass authentication. Its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` reflects high impact across confidentiality, integrity, and availability. Both CVE entries were updated with severity details and public references, including GitHub documentation, underscoring the exposure of internet-reachable administrative and employee-management functions to straightforward injection attacks.
Apr 17, 2026
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
Apr 29, 2026