CVE-2026-39323

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description A critical SQL injection issue exists in ChurchCRM's PropertyTypeEditor.php. The Name and Description POST parameters are insufficiently sanitized using only strip tags() before being directly incorporated into SQL queries. This allows authenticated users with 'Manage Properties' permission to execute arbitrary SQL commands, potentially leading to data exfiltration, modification, and deletion. Injected data persists in the database and is reflected across multiple application pages without output encoding.

Recommendations Update to version 7.1.0 or later.