Skip to main content

Ecclesia Crm CVE-2026-6628

| EUVD-2026-23823 LOW
SQL Injection (CWE-89)
2026-04-20 VulDB GHSA-9qc9-mh55-7xp5
SQLi Ecclesia Crm
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Generated
Apr 20, 2026 - 10:28 vuln.today
CVSS changed
Apr 20, 2026 - 10:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
EUVD ID Assigned
Apr 20, 2026 - 10:15 euvd
EUVD-2026-23823
Analysis Generated
Apr 20, 2026 - 10:15 vuln.today
CVE Published
Apr 20, 2026 - 10:00 nvd
LOW 2.1

DescriptionCVE.org

A flaw has been found in phili67 Ecclesia CRM up to 8.0.0. This affects the function ValidateInput of the file /v2/query/view/ of the component Query Viewer Component. This manipulation of the argument custom causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in phili67 Ecclesia CRM up to version 8.0.0 allows authenticated remote attackers to execute arbitrary SQL queries via the 'custom' parameter in the Query Viewer Component (/v2/query/view/). The vulnerability has a publicly available exploit and affects confidentiality, integrity, and availability of database operations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain valid CRM credentials
Delivery
Authenticate to Ecclesia CRM
Exploit
Send HTTP request to /v2/query/view/
Install
Inject SQL payload in 'custom' parameter
C2
ValidateInput function fails to sanitize input
Execute
Malicious SQL executes against database
Impact
Extract, modify, or delete CRM data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated user account on the Ecclesia CRM system (PR:L - low privilege level sufficient). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability presents moderate real-world risk despite the relatively low CVSS score of 5.3. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user or attacker who has obtained valid credentials to Ecclesia CRM can craft a malicious HTTP request to the /v2/query/view/ endpoint with a specially crafted 'custom' parameter containing SQL injection payloads (e.g., UNION-based or time-based blind SQL injection). The request bypasses the ValidateInput function, which fails to sanitize the parameter. …
Remediation No vendor-released patch identified at time of analysis; the vendor did not respond to early disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6628 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy