Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
No reference.
Tue, 07 Apr 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in src/Reports/FundRaiserStatement.php where the $_SESSION['iCurrentFundraiser'] value is used in an unquoted numeric SQL context without integer validation. The value originates from src/FundRaiserEditor.php where InputUtils::legacyFilterInputArr() is called without the 'int' type specifier. This vulnerability is fixed in 7.1.0. | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39319. Reason: This candidate is a duplicate of CVE-2026-39319. Notes: All CVE users should reference CVE-2026-39319 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE. |
| Title | ChurchCRM has a SQL Injection via Unquoted Session Value in FundRaiserStatement.php | |
| Weaknesses | CWE-89 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Tue, 07 Apr 2026 18:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in src/Reports/FundRaiserStatement.php where the $_SESSION['iCurrentFundraiser'] value is used in an unquoted numeric SQL context without integer validation. The value originates from src/FundRaiserEditor.php where InputUtils::legacyFilterInputArr() is called without the 'int' type specifier. This vulnerability is fixed in 7.1.0. | |
| Title | ChurchCRM has a SQL Injection via Unquoted Session Value in FundRaiserStatement.php | |
| Weaknesses | CWE-89 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: REJECTED
Assigner: GitHub_M
Published:
Updated: 2026-04-07T18:27:20.468Z
Reserved: 2026-04-03T20:09:02.826Z
Link: CVE-2026-35566
No data.
Status : Rejected
Published: 2026-04-07T16:16:29.587
Modified: 2026-04-07T19:16:44.447
Link: CVE-2026-35566
No data.
OpenCVE Enrichment
No data.
No weakness.