CVE-2026-39343

High

Published: 07 April 2026

Published

07 April 2026

Modified

10 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 11.3th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39343 is a high-severity SQL Injection (CWE-89) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of the EN_tyid POST parameter before use in SQL queries, preventing SQL injection exploitation.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of flaws such as this SQL injection vulnerability by applying the fix in ChurchCRM version 7.1.0.

SI-9 Information Input Restrictions partial match

prevent

Enforces restrictions on input types, formats, and lengths for parameters like EN_tyid to block common SQL injection payloads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

SQL injection in web app enables T1190 exploitation; arbitrary SQL allows DB data collection (T1213.006), stored data manipulation (T1565.001), and destruction (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST parameter is not sanitized before being used in a SQL query, allowing…

an administrator to execute arbitrary SQL commands directly against the database. This vulnerability is fixed in 7.1.0.

Deeper analysisAI

CVE-2026-39343 is a SQL injection vulnerability in ChurchCRM, an open-source church management system. The issue affects versions prior to 7.1.0 and resides in the EditEventTypes.php file, which is accessible only to administrators. Specifically, the EN_tyid POST parameter is not sanitized before being incorporated into a SQL query, enabling arbitrary SQL command execution directly against the database. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-89.

Exploitation requires an authenticated administrator account, as indicated by the high privileges required (PR:H) and the file's access restrictions. An attacker with admin access can submit a malicious EN_tyid value via a POST request to EditEventTypes.php, injecting and executing arbitrary SQL. This grants high confidentiality, integrity, and availability impacts, potentially allowing full database compromise, data exfiltration, modification, or deletion.

The GitHub security advisory (GHSA-h2hx-p9gp-q7gr) confirms the vulnerability is fixed in ChurchCRM version 7.1.0, recommending administrators upgrade to this release or later to mitigate the issue. No additional workarounds are specified in the provided details.

Details

CWE(s): CWE-89

Affected Products

churchcrm

≤ 7.1.0

CVEs Like This One

CVE-2026-39329Same product: Churchcrm Churchcrm

CVE-2025-1135Same product: Churchcrm Churchcrm

CVE-2025-1023Same product: Churchcrm Churchcrm

CVE-2026-24854Same product: Churchcrm Churchcrm

CVE-2026-39340Same product: Churchcrm Churchcrm

CVE-2025-1134Same product: Churchcrm Churchcrm

CVE-2026-39319Same product: Churchcrm Churchcrm

CVE-2025-1133Same product: Churchcrm Churchcrm

CVE-2026-39342Same product: Churchcrm Churchcrm

CVE-2025-1132Same product: Churchcrm Churchcrm

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h2hx-p9gp-q7gr
Vendor Advisory · security-advisories@github.com
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h2hx-p9gp-q7gr
Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0