CVE-2026-39326
Published: 07 April 2026
Summary
CVE-2026-39326 is a high-severity SQL Injection (CWE-89) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation and sanitization of user inputs like Name and Description parameters in the PropertyTypeEditor.php endpoint.
Mitigates the vulnerability through timely flaw remediation by patching ChurchCRM to version 7.1.0 or later.
Identifies SQL injection vulnerabilities like CVE-2026-39326 via regular vulnerability scanning and supports remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely exploitable web application endpoint (/PropertyTypeEditor.php) directly maps to exploitation of public-facing applications.
NVD Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description parameters and…
more
thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.
Deeper analysisAI
CVE-2026-39326 is an SQL injection vulnerability (CWE-89) affecting ChurchCRM, an open-source church management system. The issue resides in the /PropertyTypeEditor.php endpoint in versions prior to 7.1.0, where the Name and Description parameters fail to properly sanitize user input, allowing injection of arbitrary SQL statements. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant data compromise.
Authenticated users with the isMenuOptionsEnabled role can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables attackers to extract sensitive information from the database, modify records, or potentially disrupt availability, granting broad control over the underlying data store.
The ChurchCRM GitHub security advisory (GHSA-mch7-6v8f-c4j5) confirms the vulnerability is fully addressed in version 7.1.0, recommending immediate upgrades for affected installations to mitigate the risk.
Details
- CWE(s)