Skip to main content

EcclesiaCRM CVE-2026-44418

| EUVDEUVD-2026-30169 HIGH
SQL Injection (CWE-89)
2026-05-13 GitHub_M
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 08:53 vuln.today
Analysis Generated
Jun 08, 2026 - 08:53 vuln.today
CVSS changed
May 13, 2026 - 21:22 NVD
8.7 (HIGH)

DescriptionGitHub Advisory

EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput() function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly into SQL queries via str_replace without any sanitization, enabling SQL injection through query parameters that use non-standard validation types. This is caused by an incomplete fix for CVE-2026-35184.

AnalysisAI

SQL injection in EcclesiaCRM 8.0.0 and earlier allows authenticated remote attackers to execute arbitrary SQL queries through the query view feature. The flaw stems from an incomplete fix for CVE-2026-35184: the ValidateInput() function's default case passes user-supplied POST parameters directly into str_replace-based SQL construction without sanitization when non-standard validation types are used. No public exploit identified at time of analysis, and EPSS rates exploitation likelihood at just 0.03%.

Technical ContextAI

EcclesiaCRM is an open-source PHP-based church management CRM maintained by phili67 (CPE cpe:2.3:a:phili67:ecclesiacrm). The vulnerability is a classic CWE-89 (SQL Injection) located in src/v2/templates/query/queryview.php within the ValidateInput() function. When a query parameter declares a validation type that is not explicitly handled, the default switch branch previously assigned the raw $POST value to $vPOST[$qrp_Alias], which was then interpolated into the SQL template via str_replace. The upstream commit f743b97 routes all branches through InputUtils::LegacyFilterInput() and gates SQL display behind isAdmin() checks, confirming the root cause was missing input filtering in the default validation path - a regression from the original CVE-2026-35184 remediation.

RemediationAI

Upstream fix available (commit f743b97f89da469a4c70b82bd61d0a59a3a957a9); released patched version not independently confirmed from the provided data - administrators should pull the latest main branch or any release tagged after this commit and consult the GHSA advisory at https://github.com/phili67/ecclesiacrm/security/advisories/GHSA-vmgq-gpf9-mjjj for tagged release guidance. The patch funnels every validation branch through InputUtils::LegacyFilterInput() and restricts raw SQL display to admins, so cherry-picking the diff into src/v2/templates/query/queryview.php is a viable interim option for operators who cannot upgrade immediately. As compensating controls until patched, restrict access to the /query/queryview.php endpoint via web server ACLs or reverse-proxy rules (side effect: blocks legitimate report users), audit and remove non-admin accounts that have query-execution privileges (side effect: removes reporting capability for those users), and enable database-level least-privilege so the EcclesiaCRM database user cannot execute schema changes or read sensitive cross-schema tables (side effect: may break legitimate admin queries that rely on broader grants).

Share

CVE-2026-44418 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy