CVE-2026-39343

EUVD-2026-19847
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST parameter is not sanitized before being used in a SQL query, allowing an administrator to execute arbitrary SQL commands directly against the database. This vulnerability is fixed in 7.1.0.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Affected Products (NVD)
VendorProductVersion
churchcrmchurchcrm
𝑥
< 7.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h2hx-p9gp-q7gr
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h2hx-p9gp-q7gr