EUVD-2026-19847
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST parameter is not sanitized before being used in a SQL query, allowing an administrator to execute arbitrary SQL commands directly against the database. This vulnerability is fixed in 7.1.0.
Analysis
SQL injection in ChurchCRM 7.0.x and earlier allows authenticated administrators to execute arbitrary SQL commands via unsanitized EN_tyid parameter in EditEventTypes.php. While requiring high-privilege administrative access (CVSS PR:H), successful exploitation enables complete database compromise including data exfiltration, modification, and potential server-level access through database features. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all ChurchCRM deployments and confirm version numbers. Within 7 days: Upgrade all instances to ChurchCRM 7.1.0 or later; if upgrades cannot be completed, restrict administrative access to trusted personnel only and implement database access logging. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today