Home / Vulnerability Intelligence / CVE-2026-39326

CVE-2026-39326 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 8, 2026

ChurchCRM - SQL Injection

Published: April 7, 2026Updated: April 8, 2026Remote Exploitable

Overview

ChurchCRM < 7.1.0 contains an SQL injection caused by improper sanitization of Name and Description parameters in /PropertyTypeEditor.php, letting authenticated users with isMenuOptionsEnabled role extract and modify database information.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 3.0%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can extract and modify database information, potentially compromising data integrity and confidentiality.

Mitigation

Upgrade to version 7.1.0 or later.

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-mch7-6v8f-c4j5

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 8, 2026

🟠 CVE-2026-39326 - High (8.8) ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL st... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39326/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-39326
Severity: High
CVSS Score: 8.8
Type: sql_injection
Status: unconfirmed
EPSS: 3.0%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.0%Probability of exploitation in the next 30 days