CVE-2026-39318 - Vulnerability Analysis

Overview

ChurchCRM < 7.1.0 contains a SQL injection caused by improper sanitization of the Field parameter in GroupPropsFormRowOps.php, letting attackers execute arbitrary SQL statements, exploit requires crafted input.

Severity & Score

Impact

Attackers can execute arbitrary SQL statements, potentially leading to data disclosure, modification, or full database compromise.

Mitigation

Update to version 7.1.0 or later.

References

• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r53-w4r6-w62c

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 8, 2026

🟠 CVE-2026-39318 - High (8.8) ChurchCRM is an open-source church management system. Prior to 7.1.0, the GroupPropsFormRowOps.php file contains a SQL injection vulnerability. User input in the Field parameter is directly inserted into SQL queries without proper sanitization. Th... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39318/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner