CVE-2026-35566

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description A critical SQL injection issue exists in ChurchCRM versions prior to 7.1.0. The vulnerability is located in src/Reports/FundRaiserStatement.php, where the $ SESSION['iCurrentFundraiser'] value is used in an unquoted numeric SQL context without proper integer validation. This value originates from src/FundRaiserEditor.php, where InputUtils::legacyFilterInputArr() is called without specifying the 'int' type. This allows for potential manipulation of SQL queries.

Recommendations Update to version 7.1.0 or later.