Is PHP affected by CVE-2026-39323?

ChurchCRM versions before 7.1.0 contain a high-severity SQL injection vulnerability in the PropertyTypeEditor component that permits authenticated users with 'Manage Properties' permissions to execute arbitrary database commands, potentially compromising the confidentiality, integrity, and…

CVE-2026-39323

EUVD-2026-19809 HIGH

2026-04-07 GitHub_M

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 07, 2026 - 18:00 vuln.today

EUVD ID Assigned

Apr 07, 2026 - 18:00 euvd

EUVD-2026-19809

CVE Published

Apr 07, 2026 - 17:28 nvd

HIGH 8.8

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in ChurchCRM's PropertyTypeEditor.php where the Name and Description POST parameters are sanitized only with strip_tags() before direct concatenation into SQL queries. This allows authenticated users with "Manage Properties" permission to execute arbitrary SQL commands including data exfiltration, modification, and deletion. Injected data persists in the database and is reflected across multiple application pages without output encoding. This vulnerability is fixed in 7.1.0.

Analysis

SQL injection in ChurchCRM's PropertyTypeEditor.php allows authenticated users with 'Manage Properties' permission to execute arbitrary SQL commands through unsanitized Name and Description POST parameters. ChurchCRM versions prior to 7.1.0 are affected. …

Remediation

Within 24 hours: Identify all ChurchCRM installations and document current versions; immediately restrict 'Manage Properties' permission assignments to only essential administrators and audit existing role assignments. Within 7 days: Contact ChurchCRM vendor for patch availability timeline and interim guidance; implement application-level access controls (firewall rules, IP whitelisting) limiting PropertyTypeEditor.php access to trusted administrators only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2026-39323 vulnerability details – vuln.today

Back

CVE-2026-39323

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-39323

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code