EUVD-2026-19825
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) can inject arbitrary SQL statements through the Value parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.
Analysis
SQL injection in ChurchCRM's /PropertyAssign.php endpoint allows authenticated users with 'Manage Groups & Roles' and 'Edit Records' privileges to execute arbitrary SQL commands through the Value parameter. Affecting all versions prior to 7.1.0, attackers can extract sensitive church membership data, modify database records, or potentially achieve complete database compromise. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all ChurchCRM instances in your environment and document current versions; restrict access to PropertyAssign.php at the network level if version 7.1.0 cannot be deployed immediately. Within 7 days: Upgrade all ChurchCRM installations to version 7.1.0 per vendor advisory; verify upgrade completion across all systems. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today