CVE-2026-44418

Name of the Vulnerable Software and Affected Versions EcclesiaCRM versions 8.0.0 and earlier

Description The ValidateInput() function's default case in the query view passes user-supplied POST parameters directly into SQL queries using str replace without proper sanitization. This allows for SQL injection, a technique where malicious SQL statements are inserted into entry fields for execution, specifically through query parameters that utilize non-standard validation types.

Recommendations Update EcclesiaCRM to a version later than 8.0.0. As a temporary workaround, restrict access to the query view or avoid using non-standard validation types in query parameters until a patch is applied.