HIGHCVE-2026-39327Published 2026-04-07Modified 2026-04-07CNA GitHub_M

CVE-2026-39327: ChurchCRM has a SQL injection in MemberRoleChange.php

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles (ManageGroups) can inject arbitrary SQL statements through the NewRole parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

ChurchCRM / CRM
< 7.1.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-66fc-v5xj-x859

Metrics