PT-2026-33526 · Churchcrm · Churchcrm
Published
2026-04-17
·
Updated
2026-04-18
·
CVE-2026-40482
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
ChurchCRM versions prior to 7.2.0
Description
An issue exists in the open-source church management system where unsanitized input in the
$routeAndAccount variable is concatenated into raw SQL within the getMemberByScanString() function of the FinancialService class, leading to SQL injection.Recommendations
Update to version 7.2.0.
As a temporary workaround, consider restricting access to the
getMemberByScanString() function until the update is applied.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Churchcrm