EUVD-2026-19810CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsUser.php in ChurchCRM 7.0.5. Authenticated administrative users can inject arbitrary SQL statements through the type array parameter via the index and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.
Analysis
SQL injection in ChurchCRM 7.0.5 allows authenticated administrators to execute arbitrary SQL commands through the /SettingsUser.php endpoint's type array parameter. Attackers with high-privilege administrative access can extract sensitive database contents, modify church records, or potentially escalate privileges within the system. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running ChurchCRM 7.0.5 or earlier and audit active administrative accounts for suspicious activity; restrict administrative access to essential personnel only. Within 7 days: Verify availability of ChurchCRM version 7.1.0 from official vendor sources and test patching in a non-production environment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today