FinancialService CVE-2026-40482

HIGH
SQL Injection (CWE-89)
2026-04-18 [email protected]
SQLi
7.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 18, 2026 - 00:38 vuln.today

DescriptionNVD

ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0.

AnalysisAI

SQL injection in ChurchCRM's FinancialService getMemberByScanString() method allows authenticated attackers to exfiltrate sensitive database contents and modify limited data. Affects ChurchCRM versions prior to 7.2.0. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all ChurchCRM deployments and document current versions; restrict access to FinancialService functions to administrative users only. Within 7 days: Monitor vendor repository for ChurchCRM 7.2.0 release confirmation and apply patch immediately upon availability; if unavailable, evaluate migration to alternative solutions. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40482 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy