CVE-2026-39330

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description ChurchCRM, an open-source church management system, contains an SQL injection issue in the /PropertyAssign.php endpoint. Authenticated users with Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) permissions can inject arbitrary SQL statements through the Value parameter, potentially allowing them to extract and modify database information.

Recommendations Update to version 7.1.0 or later.