#VU125690 SQL injection in ChurchCRM - CVE-2026-35566
Published: April 9, 2026
Vulnerability identifier: #VU125690
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-35566
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
ChurchCRM
ChurchCRM
Software vendor:
ChurchCRM
ChurchCRM
Description
The vulnerability allows a remote user to execute arbitrary SQL queries and disclose sensitive information.
The vulnerability exists due to SQL injection in src/Reports/FundRaiserStatement.php when processing a session value in an unquoted numeric SQL context. A remote user can plant a specially crafted FundRaiserID value in the session and trigger the vulnerable report to execute arbitrary SQL queries and disclose sensitive information.
Exploitation requires two HTTP requests because the payload is first stored in the session and then executed later in a different file.
Remediation
Install security update from vendor's website.