Is PHP affected by CVE-2026-34402?

ChurchCRM versions before 7.1.0 contain a SQL injection vulnerability in the PropertyAssign.php endpoint that allows authenticated users with basic permissions to exfiltrate or modify sensitive database content, including credentials and personally identifiable information.

CVE-2026-34402

EUVD-2026-19345 HIGH

2026-04-06 GitHub_M

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 06, 2026 - 16:00 vuln.today

EUVD ID Assigned

Apr 06, 2026 - 16:00 euvd

EUVD-2026-19345

CVE Published

Apr 06, 2026 - 15:27 nvd

HIGH 8.1

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, authenticated users with Edit Records or Manage Groups permissions can exploit a time-based blind SQL injection vulnerability in the PropertyAssign.php endpoint to exfiltrate or modify any database content, including user credentials, personal identifiable information (PII), and configuration secrets. This vulnerability is fixed in 7.1.0.

Analysis

Time-based blind SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with Edit Records or Manage Groups permissions to exfiltrate or modify database content including credentials, PII, and configuration secrets via the PropertyAssign.php endpoint. Attack requires low-privilege authentication (PR:L) but enables high confidentiality and integrity impact through database manipulation. …

Remediation

Within 24 hours: Verify current ChurchCRM version and confirm whether your deployment is prior to 7.1.0; if vulnerable, restrict access to PropertyAssign.php functionality to administrative users only and audit recent activity logs for suspicious database queries. Within 7 days: Deploy ChurchCRM version 7.1.0 or later immediately as the primary remediation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +40

POC: 0

CVE-2026-34402 vulnerability details – vuln.today

Back

CVE-2026-34402

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-34402

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code