PT-2026-30660 · Churchcrm · Crm
Sh4Dowalker
·
Published
2026-04-06
·
Updated
2026-04-06
·
CVE-2026-34402
CVSS v3.1
8.1
High
| AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
ChurchCRM is an open-source church management system. Prior to 7.1.0, authenticated users with Edit Records or Manage Groups permissions can exploit a time-based blind SQL injection vulnerability in the PropertyAssign.php endpoint to exfiltrate or modify any database content, including user credentials, personal identifiable information (PII), and configuration secrets. This vulnerability is fixed in 7.1.0.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Crm