CVE-2026-35567

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description ChurchCRM is an open-source church management system susceptible to SQL injection. The NewRole POST parameter in src/MemberRoleChange.php is used in an SQL query without sufficient integer validation. This allows authenticated users with the ManageGroups role to inject arbitrary SQL, requiring knowledge of a valid GroupID and PersonID, obtainable from GroupView or PersonView pages.

Recommendations Update to version 7.1.0 or later.