CVE-2026-39341 HIGH

CVE-2026-39341: SQL injection in ChurchCRM.0

Vendor Churchcrm

Product CRM

Weakness CWE-89 · SQLi

Published April 7, 2026

Last update April 9, 2026

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the sanitised input is not used to create the SQL query. This vulnerability is fixed in 7.1.0.

Key dates

02Disclosure timeline

April 7, 2026 CVE published

April 9, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-39341 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

04Related CVE

CVE-2024-7838 itsourcecode Online Food Ordering System addcategory.php sql injection CVE-2019-25536 Netartmedia PHP Real Estate Agency 4.0 SQL Injection via features parameter CVE-2018-25207 Online Quiz Maker 1.0 SQL Injection via catid Parameter CVE-2021-36898 WordPress Quiz And Survey Master plugin <= 7.3.4 - Auth. SQL Injection (SQLi) vulnerability CVE-2026-2820 Fujian Smart Integrated Management Platform System XAccessPermissionPlus.ashx sql injection