CVE-2026-39326

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description ChurchCRM, an open-source church management system, contains an SQL injection flaw in the /PropertyTypeEditor.php endpoint. Authenticated users with the isMenuOptionsEnabled role can inject SQL statements through the Name and Description parameters, potentially allowing them to extract and modify database information.

Recommendations Update to version 7.1.0 or later.