CVE-2026-39325
Published: 07 April 2026
Summary
CVE-2026-39325 is a high-severity SQL Injection (CWE-89) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation and sanitization of the untrusted 'type' array and 'index' parameters before they are used in database queries within /SettingsUser.php.
Mandates timely flaw remediation by patching ChurchCRM to version 7.1.0 or later, eliminating the specific SQL injection vulnerability.
Deploys boundary protection mechanisms such as web application firewalls to inspect and block malicious SQL injection payloads targeting the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app endpoint (/SettingsUser.php) directly enables T1190 (Exploit Public-Facing Application). Arbitrary SQL allows database content access/manipulation, enabling T1213.006 (Data from Information Repositories: Databases).
NVD Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsUser.php in ChurchCRM 7.0.5. Authenticated administrative users can inject arbitrary SQL statements through the type array parameter via the index and…
more
thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.
Deeper analysisAI
CVE-2026-39325 is an SQL injection vulnerability (CWE-89) affecting ChurchCRM, an open-source church management system, in versions prior to 7.1.0, with the issue specifically identified in 7.0.5. The flaw resides in the /SettingsUser.php endpoint, where authenticated administrative users can inject arbitrary SQL statements through the "type" array parameter via the "index" parameter, potentially allowing unauthorized access to or manipulation of database contents.
The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity, requiring high privileges (authenticated admin access) but no user interaction. An attacker with administrative credentials could extract sensitive information from the database, modify records, or disrupt availability, leading to significant data compromise or system tampering.
The official GitHub security advisory (GHSA-cf68-g7vf-9xrq) confirms the vulnerability is remediated in ChurchCRM 7.1.0. Organizations using affected versions should prioritize upgrading to 7.1.0 or later to mitigate the risk, and administrators are advised to review access controls for the /SettingsUser.php endpoint in the interim.
Details
- CWE(s)