EUVD-2026-19720
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in src/Reports/FundRaiserStatement.php where the $_SESSION['iCurrentFundraiser'] value is used in an unquoted numeric SQL context without integer validation. The value originates from src/FundRaiserEditor.php where InputUtils::legacyFilterInputArr() is called without the 'int' type specifier. This vulnerability is fixed in 7.1.0.
Analysis
SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with low privileges to execute arbitrary SQL commands via the fund raiser statement report functionality. The vulnerability stems from inadequate input validation of session-based fundraiser identifiers in src/Reports/FundRaiserStatement.php, enabling attackers to achieve complete database compromise including data exfiltration, modification, and potential remote code execution. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all ChurchCRM instances and document current versions; restrict access to fundraiser statement reports to administrative users only. Within 7 days: Upgrade ChurchCRM to version 7.1.0 or later if available from vendor, or implement database-level access controls to limit SQL query capabilities for non-admin accounts. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today