{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39318", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T19:31:07.266Z", "datePublished": "2026-04-07T17:27:51.450Z", "dateUpdated": "2026-04-08T18:46:33.913Z"}, "containers": {"cna": {"title": "ChurchCRM has a DDL SQL Injection in GroupPropsFormRowOps.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 7.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:27:51.450Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, the GroupPropsFormRowOps.php file contains a SQL injection vulnerability. User input in the Field parameter is directly inserted into SQL queries without proper sanitization. The mysqli_real_escape_string() function does not escape backtick characters, allowing attackers to break out of SQL identifier context and execute arbitrary SQL statements. This vulnerability is fixed in 7.1.0."}], "source": {"advisory": "GHSA-j3vj-59vv-h4rc", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:46:28.790516Z", "id": "CVE-2026-39318", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:46:33.913Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39318", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T18:46:28.790516Z"}}}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:46:22.327Z"}}], "cna": {"title": "ChurchCRM has a DDL SQL Injection in GroupPropsFormRowOps.php", "source": {"advisory": "GHSA-j3vj-59vv-h4rc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 7.1.0"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, the GroupPropsFormRowOps.php file contains a SQL injection vulnerability. User input in the Field parameter is directly inserted into SQL queries without proper sanitization. The mysqli_real_escape_string() function does not escape backtick characters, allowing attackers to break out of SQL identifier context and execute arbitrary SQL statements. This vulnerability is fixed in 7.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:27:51.450Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39318", "state": "PUBLISHED", "dateUpdated": "2026-04-08T18:46:33.913Z", "dateReserved": "2026-04-06T19:31:07.266Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T17:27:51.450Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, the GroupPropsFormRowOps.php file contains a SQL injection vulnerability. User input in the Field parameter is directly inserted into SQL queries without proper sanitization. The mysqli_real_escape_string() function does not escape backtick characters, allowing attackers to break out of SQL identifier context and execute arbitrary SQL statements. This vulnerability is fixed in 7.1.0."}], "id": "CVE-2026-39318", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:42.810", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-07T22:02:10.643108+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version 7.1.0 or later, which contains the patch for this issue."], "summary": {"action": "Patch", "impact": "SQL command injection enabling arbitrary SQL execution"}, "threat_synthesis": {"affected_systems": "ChurchCRM versions prior to 7.1.0 are affected. The flaw resides in the GroupPropsFormRowOps.php component of the ChurchCRM application, an open\u2011source church management system. All installations running a pre\u20117.1.0 release are potentially exploitable.", "description_and_impact": "The vulnerability is an SQL injection in the GroupPropsFormRowOps.php file of ChurchCRM. User-controllable data supplied through the Field parameter is concatenated directly into SQL identifiers without adequate escaping. Because the mysqli_real_escape_string function does not neutralize backtick characters, an attacker can break out of the intended identifier context and inject arbitrary SQL statements. This flaw allows the injection of commands that could read, modify or delete data in the underlying database, thereby compromising the confidentiality, integrity, and availability of the church\u2019s records.", "risk_and_exploitability": "The flaw scores a CVSS score of 8.8, indicating a high severity vulnerability. No EPSS score is published, and the issue is not currently listed in the CISA KEV catalog. The likely attack vector is remote, via the web interface, where an attacker can supply a crafted Field value in a request to the vulnerable script. Exploitation requires the ability to reach the application and submit input, which may be achieved by authenticated or unauthenticated users depending on the specific configuration of the ChurchCRM instance. Any successful exploit would grant the attacker the ability to execute arbitrary SQL against the connected database."}}}}, "created": "2026-04-08T19:47:15.900068+00:00", "updated": "2026-04-08T19:47:15.900105+00:00", "vendors": []}