theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2026-39329

Published April 7, 2026 · Updated April 8, 2026

8.8CVSS
high

What This Means

CVE-2026-39329 is a high-severity SQL injection vulnerability in ChurchCRM versions prior to 7.1.0. Authenticated users with AddEvent privileges can exploit this flaw through the newEvtTypeCntLst parameter, allowing them to manipulate SQL queries during event type creation. To mitigate this risk, upgrade to ChurchCRM version 7.1.0 or later immediately.

Official Description+

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reaches an ON DUPLICATE KEY UPDATE clause where unescaped user input is interpolated directly. This vulnerability is fixed in 7.1.0.

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. Monitor vendor advisories for updates and additional mitigations.
  4. Review logs for indicators of compromise related to CVE-2026-39329.

Related Coverage

Vvulnerability

CVE-2026-39329: High-Risk SQL Injection in ChurchCRM

CVE-2026-39329 is an SQL injection vulnerability in ChurchCRM versions prior to 7.1.0. Exploited via the newEvtTypeCntLst parameter, it allows authenticated users with AddEvent privileges to manipulate SQL queries. Upgrade to version 7.1.0 or later to mitigate.

NVD·8m ago·3 min read