ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput() which both strips HTML and escapes SQL — was replaced with sanitizeText(), which strips HTML only. User-supplied values from the Name and Description fields are concatenated directly into raw INSERT and UPDATE queries with no SQL escaping. This allows any authenticated user with the MenuOptions role (a non-admin staff permission) to perform time-based blind injection and exfiltrate any data from the database, including password hashes of all users. This vulnerability is fixed in 7.1.0.
References
| Link | Resource |
|---|---|
| https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9 | Third Party Advisory |
| https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9 | Third Party Advisory |
Configurations
History
09 Apr 2026, 18:43
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:* | |
| First Time |
Churchcrm churchcrm
Churchcrm |
|
| References | () https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9 - Third Party Advisory |
08 Apr 2026, 19:25
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9 - |
07 Apr 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-07 18:16
Updated : 2026-04-09 18:43
NVD link : CVE-2026-39340
Mitre link : CVE-2026-39340
CVE.ORG link : CVE-2026-39340
JSON object : View
Products Affected
churchcrm
- churchcrm
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')