CVE-2026-39329 | THREATINT

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reaches an ON DUPLICATE KEY UPDATE clause where unescaped user input is interpolated directly. This vulnerability is fixed in 7.1.0.

PUBLISHED Reserved 2026-04-06 | Published 2026-04-07 | Updated 2026-04-07 | Assigner GitHub_M

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

< 7.1.0

affected

References

github.com/...RM/CRM/security/advisories/GHSA-ggfm-5q4w-p93g exploit

github.com/...RM/CRM/security/advisories/GHSA-ggfm-5q4w-p93g

cve.org (CVE-2026-39329)

nvd.nist.gov (CVE-2026-39329)

Download JSON