Is PHP affected by CVE-2026-39341?

ChurchCRM versions before 7.1.0 contain a time-based SQL injection vulnerability in the ConfirmReportEmail.php endpoint that permits authenticated low-privilege users to extract sensitive database records, including confidential member information.

CVE-2026-39341

EUVD-2026-19843 HIGH

2026-04-07 [email protected]

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 18:22 euvd

EUVD-2026-19843

Analysis Generated

Apr 07, 2026 - 18:22 vuln.today

CVE Published

Apr 07, 2026 - 18:16 nvd

HIGH 8.1

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, The application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the sanitised input is not used to create the SQL query. This vulnerability is fixed in 7.1.0.

Analysis

Time-based SQL injection in ChurchCRM versions before 7.1.0 allows authenticated remote attackers to extract sensitive database contents through the ConfirmReportEmail.php endpoint. The familyId parameter fails to properly sanitize user input in SQL query construction, enabling attackers with low-privilege accounts to exfiltrate high-value data including confidential church member information. …

Remediation

Within 24 hours: verify current ChurchCRM version and confirm whether your deployment is earlier than 7.1.0; document all user accounts with authentication credentials. Within 7 days: contact ChurchCRM vendor for patch availability timeline and interim security guidance; restrict database query permissions for low-privilege account roles to essential functions only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +40

POC: 0

CVE-2026-39341 vulnerability details – vuln.today

Back

CVE-2026-39341

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-39341

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code