CVE-2026-39329

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description ChurchCRM, an open-source church management system, contains a SQL injection issue in the /EventNames.php file. Authenticated users with AddEvent privileges can inject SQL through the newEvtTypeCntLst parameter when creating event types. The vulnerability occurs within an ON DUPLICATE KEY UPDATE clause where user-supplied input is directly included without proper sanitization.

Recommendations Update to version 7.1.0 or later.