Main Vulnerability Database Vulnerabilities #VU125680

#VU125680 SQL injection in ChurchCRM

Published: April 9, 2026

Vulnerability identifier: #VU125680

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ChurchCRM

Software vendor:
ChurchCRM

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in QueryView.php when processing the searchstring POST parameter in stored query templates. A remote attacker can send a specially crafted POST request to execute arbitrary SQL commands.

The issue is reachable through the reporting query menu, including the default Advanced Search stored query with QueryID 15.

Remediation

Install security update from vendor's website.

External links

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-qc2c-qmw4-52fp

#VU125680 SQL injection in ChurchCRM

Description

Remediation

External links

Please verify you're human