CVE-2026-39318

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description ChurchCRM, an open-source church management system, has a SQL injection issue in the GroupPropsFormRowOps.php file. User input provided through the Field parameter is directly incorporated into SQL queries without sufficient sanitization. The mysqli real escape string() function fails to escape backtick characters, potentially enabling attackers to bypass SQL identifier context and execute arbitrary SQL statements.

Recommendations Update to version 7.1.0 or later.