EUVD-2026-19824

Q: Is PHP affected by EUVD-2026-19824?

ChurchCRM versions prior to 7.1.0 contain a SQL injection vulnerability in event type creation that allows authenticated users with AddEvent privileges to manipulate or exfiltrate database contents without additional authentication barriers.

| CVE-2026-39329 HIGH

2026-04-07 GitHub_M

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 18:00 euvd

EUVD-2026-19824

Analysis Generated

Apr 07, 2026 - 18:00 vuln.today

CVE Published

Apr 07, 2026 - 17:33 nvd

HIGH 8.8

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reaches an ON DUPLICATE KEY UPDATE clause where unescaped user input is interpolated directly. This vulnerability is fixed in 7.1.0.

Analysis

SQL injection in ChurchCRM /EventNames.php allows authenticated users with AddEvent privileges to execute arbitrary SQL commands via the newEvtTypeCntLst parameter during event type creation. The vulnerability reaches an ON DUPLICATE KEY UPDATE clause where user input is interpolated without sanitization, enabling high-impact database manipulation. …

Remediation

Within 24 hours: Inventory all ChurchCRM installations and document version numbers; restrict AddEvent privilege assignment to trusted administrators only and audit current privilege grants. Within 7 days: Upgrade ChurchCRM to version 7.1.0 or later if released; if unavailable, implement database query logging and monitor for suspicious SQL patterns in /EventNames.php requests. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

EUVD-2026-19824 vulnerability details – vuln.today

Back

EUVD-2026-19824

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-19824

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code