CVE-2026-39340

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description ChurchCRM, an open-source church management system, contains a SQL injection issue in the PropertyTypeEditor.php file, which is part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The issue arises from replacing the legacyFilterInput() function, which both strips HTML and escapes SQL, with sanitizeText(), which only strips HTML. This allows authenticated users with the MenuOptions role to perform time-based blind injection and potentially access all data within the database, including password hashes.

Recommendations Update to version 7.1.0 or later.