Main Vulnerability Database Vulnerabilities #VU125691

#VU125691 SQL injection in ChurchCRM - CVE-2026-34402

Published: April 9, 2026

Vulnerability identifier: #VU125691

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-34402

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ChurchCRM

Software vendor:
ChurchCRM

Description

The vulnerability allows a remote user to disclose sensitive information and modify database content.

The vulnerability exists due to SQL injection in the PropertyAssign.php endpoint when processing the Value POST parameter in property value assignment requests. A remote user can send a specially crafted request to disclose sensitive information and modify database content.

Exploitation requires a valid session and either Edit Records or Manage Groups permission.

Remediation

Install security update from vendor's website.

#VU125691 SQL injection in ChurchCRM - CVE-2026-34402

Description

Remediation

External links

Please verify you're human