Skip to main content

FinancialService CVE-2026-40482

HIGH
SQL Injection (CWE-89)
2026-04-18 security-advisories@github.com
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 18, 2026 - 00:38 vuln.today
Analysis Generated
Apr 18, 2026 - 00:22 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
HIGH 7.1

DescriptionGitHub Advisory

ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0.

AnalysisAI

SQL injection in ChurchCRM's FinancialService getMemberByScanString() method allows authenticated attackers to exfiltrate sensitive database contents and modify limited data. Affects ChurchCRM versions prior to 7.2.0. The vulnerability stems from unsanitized $routeAndAccount parameter concatenated directly into SQL queries without parameterization. Fixed via commit 214694eb and pull request #8607. EPSS data not available. Not listed in CISA KEV. Public exploit code exists (GitHub advisory GHSA-hc37-vx3w-34fg with PoC). CVSS 7.1 reflects network-accessible attack requiring low-privileged authentication with high confidentiality impact and low integrity impact.

Technical ContextAI

This is a classic SQL injection vulnerability (CWE-89) in ChurchCRM, an open-source church management system written in PHP. The flaw exists in the FinancialService class's getMemberByScanString() method, which handles financial transaction routing and account lookup functionality. The vulnerability occurs when the $routeAndAccount variable-likely user-controlled input from barcode scanning or manual entry of banking routing and account numbers-is concatenated directly into a SQL query string without proper sanitization, escaping, or parameterized query bindings. This violates secure coding practices for database interaction and creates an injection point where attackers can break out of the intended query structure. The CVSS 4.0 vector (AV:N/AC:L/PR:L) indicates this is a network-accessible vulnerability with low attack complexity requiring authenticated access, suggesting the vulnerable endpoint is part of the authenticated web application interface rather than a public-facing form. The impact profile (VC:H/VI:L/VA:N) shows asymmetric consequences: high confidentiality impact allowing full database read access, low integrity impact permitting limited data modification, and no availability impact.

Affected ProductsAI

ChurchCRM open-source church management system versions prior to 7.2.0 are affected. The vulnerability exists in the FinancialService class, specifically the getMemberByScanString() method used for processing financial transaction lookups. All deployment configurations running vulnerable versions are affected where authenticated users have access to financial scanning features. The fix is available in ChurchCRM version 7.2.0 and later, implemented via commit 214694eb83778e1f5e52b3dfa2a99d0e965c1850 and merged through pull request #8607. The official security advisory is published at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc37-vx3w-34fg with technical details and remediation guidance.

RemediationAI

Upgrade to ChurchCRM version 7.2.0 or later immediately, which contains the fix delivered via commit 214694eb83778e1f5e52b3dfa2a99d0e965c1850 and pull request #8607 available at https://github.com/ChurchCRM/CRM/pull/8607. The patch replaces direct string concatenation with parameterized SQL queries using prepared statements, eliminating the injection vector. If immediate upgrade is not feasible, implement compensating controls with understanding of their limitations: restrict access to financial scanning functionality to only highly trusted administrator accounts via role-based access controls (trade-off: reduces usability for finance volunteers); deploy web application firewall (WAF) rules to detect and block SQL injection patterns in requests to financial service endpoints (trade-off: potential for false positives blocking legitimate routing/account number formats, requires tuning); enable comprehensive database query logging and monitor for anomalous SELECT statements with UNION clauses, unusual table access patterns, or exfiltration attempts (trade-off: detective not preventive control, generates alert fatigue, privacy implications of logging all queries). Database-level restrictions such as ensuring the application database user has minimal necessary privileges and read-only access to sensitive tables can limit integrity impact but will not prevent confidentiality breach. These workarounds are inferior to patching-SQL injection cannot be reliably mitigated at the perimeter when the application layer is fundamentally vulnerable.

Share

CVE-2026-40482 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy