CVE-2026-39319 HIGH

CVE-2026-39319: ChurchCRM has a Second Order SQLI via FundRaiserEditor.php

Vendor Churchcrm

Product CRM

Weakness CWE-89 · SQLi

Published April 7, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through the iCurrentFundraiser PHP session parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.

Key dates

Disclosure timeline

April 7, 2026 CVE published

April 8, 2026 Record updated