CVE-2026-39319

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description ChurchCRM is susceptible to a second-order SQL injection issue in the /FundRaiserEditor.php endpoint. An authenticated user, without specific privileges, can inject arbitrary SQL statements through the iCurrentFundraiser PHP session parameter, potentially allowing them to extract and modify database information.

Recommendations Update to version 7.1.0 or later.