Home / Vulnerability Intelligence / CVE-2026-39330

CVE-2026-39330 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 8, 2026

ChurchCRM - SQL Injection

Published: April 7, 2026Updated: April 8, 2026Remote Exploitable

Overview

ChurchCRM < 7.1.0 contains an SQL injection caused by improper sanitization of the Value parameter in /PropertyAssign.php, letting authenticated users with Manage Groups & Roles and Edit Records privileges extract and modify database information.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 3.0%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can extract and modify database information, potentially compromising data integrity and confidentiality.

Mitigation

Upgrade to version 7.1.0 or later.

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-xq86-jh52-728g

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 8, 2026

🟠 CVE-2026-39330 - High (8.8) ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Record... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39330/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-39330
Severity: High
CVSS Score: 8.8
Type: sql_injection
Status: unconfirmed
EPSS: 3.0%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.0%Probability of exploitation in the next 30 days