Skip to main content

Ecclesiacrm

1 CVEs product

Monthly

CVE-2026-44418 HIGH This Week

SQL injection in EcclesiaCRM 8.0.0 and earlier allows authenticated remote attackers to execute arbitrary SQL queries through the query view feature. The flaw stems from an incomplete fix for CVE-2026-35184: the ValidateInput() function's default case passes user-supplied POST parameters directly into str_replace-based SQL construction without sanitization when non-standard validation types are used. No public exploit identified at time of analysis, and EPSS rates exploitation likelihood at just 0.03%.

SQLi Ecclesiacrm
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH This Week

SQL injection in EcclesiaCRM 8.0.0 and earlier allows authenticated remote attackers to execute arbitrary SQL queries through the query view feature. The flaw stems from an incomplete fix for CVE-2026-35184: the ValidateInput() function's default case passes user-supplied POST parameters directly into str_replace-based SQL construction without sanitization when non-standard validation types are used. No public exploit identified at time of analysis, and EPSS rates exploitation likelihood at just 0.03%.

SQLi Ecclesiacrm
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy