CVE-2026-39340
Published: 07 April 2026
Summary
CVE-2026-39340 is a high-severity SQL Injection (CWE-89) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validating user-supplied Name and Description inputs before insertion into SQL queries, preventing the SQL injection vulnerability in PropertyTypeEditor.php.
Requires timely flaw remediation by upgrading to ChurchCRM 7.1.0, which replaces sanitizeText() with proper SQL escaping to fix the vulnerability.
Vulnerability scanning identifies SQL injection flaws like CVE-2026-39340 in ChurchCRM prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (ChurchCRM) enables T1190; blind SQLi allows DB data collection (T1213.006) and data modification (T1565.001).
NVD Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput()…
more
which both strips HTML and escapes SQL — was replaced with sanitizeText(), which strips HTML only. User-supplied values from the Name and Description fields are concatenated directly into raw INSERT and UPDATE queries with no SQL escaping. This allows any authenticated user with the MenuOptions role (a non-admin staff permission) to perform time-based blind injection and exfiltrate any data from the database, including password hashes of all users. This vulnerability is fixed in 7.1.0.
Deeper analysisAI
CVE-2026-39340 is a SQL injection vulnerability (CWE-89) affecting ChurchCRM, an open-source church management system, in versions prior to 7.1.0. The issue resides in the PropertyTypeEditor.php file within the administration functionality for managing property type categories under People → Person Properties / Family Properties. It stems from replacing the legacyFilterInput() function, which stripped HTML and escaped SQL inputs, with sanitizeText(), which only strips HTML. As a result, user-supplied values from the Name and Description fields are directly concatenated into raw INSERT and UPDATE SQL queries without escaping, enabling injection attacks. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Any authenticated user with the MenuOptions role—a non-administrative staff permission—can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Attackers can perform time-based blind SQL injection to exfiltrate sensitive data from the database, including password hashes of all users, and potentially modify data due to the high integrity impact.
The ChurchCRM security advisory (GHSA-66f7-4p96-mww9) confirms the vulnerability is fixed in version 7.1.0, recommending immediate upgrades for affected installations to mitigate the risk.
Details
- CWE(s)