Is PHP affected by CVE-2026-39326?

ChurchCRM versions prior to 7.1.0 contain a SQL injection vulnerability in the PropertyTypeEditor component that allows authenticated users with menu privileges to compromise the entire database, including unauthorized data extraction and modification.

CVE-2026-39326

EUVD-2026-19811 HIGH

2026-04-07 GitHub_M

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 18:00 euvd

EUVD-2026-19811

Analysis Generated

Apr 07, 2026 - 18:00 vuln.today

CVE Published

Apr 07, 2026 - 17:30 nvd

HIGH 8.8

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description parameters and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.

Analysis

SQL injection in ChurchCRM PropertyTypeEditor.php allows authenticated users with menu options privileges to execute arbitrary SQL commands via Name and Description parameters, enabling full database compromise including data extraction and modification. Affects all versions before 7.1.0. …

Remediation

Within 24 hours: Identify all ChurchCRM installations and document current versions; restrict database user permissions for the ChurchCRM application to read-only access where feasible and disable PropertyTypeEditor functionality if not essential. Within 7 days: Upgrade all ChurchCRM instances to version 7.1.0 or later; verify patch application across all systems. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2026-39326 vulnerability details – vuln.today

Back

CVE-2026-39326

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-39326

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code