Cyber Resilience

CVE-2026-39343

High

Published: 07 April 2026

Published
07 April 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 11.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39343 is a high-severity SQL Injection (CWE-89) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-39343 is a SQL injection vulnerability in ChurchCRM, an open-source church management system. The issue affects versions prior to 7.1.0 and resides in the EditEventTypes.php file, which is accessible only to administrators. Specifically, the EN_tyid POST parameter is not sanitized before being incorporated into a SQL query, enabling arbitrary SQL command execution directly against the database. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-89.

Exploitation requires an authenticated administrator account, as indicated by the high privileges required (PR:H) and the file's access restrictions. An attacker with admin access can submit a malicious EN_tyid value via a POST request to EditEventTypes.php, injecting and executing arbitrary SQL. This grants high confidentiality, integrity, and availability impacts, potentially allowing full database compromise, data exfiltration, modification, or deletion.

The GitHub security advisory (GHSA-h2hx-p9gp-q7gr) confirms the vulnerability is fixed in ChurchCRM version 7.1.0, recommending administrators upgrade to this release or later to mitigate the issue. No additional workarounds are specified in the provided details.

EU & UK References

Vulnerability details

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST parameter is not sanitized before being used in a SQL query, allowing…

more

an administrator to execute arbitrary SQL commands directly against the database. This vulnerability is fixed in 7.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

SQL injection in web app enables T1190 exploitation; arbitrary SQL allows DB data collection (T1213.006), stored data manipulation (T1565.001), and destruction (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1023Same product: Churchcrm Churchcrm
CVE-2025-1135Same product: Churchcrm Churchcrm
CVE-2026-39329Same product: Churchcrm Churchcrm
CVE-2026-24854Same product: Churchcrm Churchcrm
CVE-2025-1134Same product: Churchcrm Churchcrm
CVE-2025-1133Same product: Churchcrm Churchcrm
CVE-2026-39319Same product: Churchcrm Churchcrm
CVE-2026-39340Same product: Churchcrm Churchcrm
CVE-2026-39342Same product: Churchcrm Churchcrm
CVE-2026-39325Same product: Churchcrm Churchcrm

Affected Assets

churchcrm
churchcrm
≤ 7.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the EN_tyid POST parameter before use in SQL queries, preventing SQL injection exploitation.

prevent

Mandates timely remediation of flaws such as this SQL injection vulnerability by applying the fix in ChurchCRM version 7.1.0.

prevent

Enforces restrictions on input types, formats, and lengths for parameters like EN_tyid to block common SQL injection payloads.

References