** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39327. Reason: This candidate is a duplicate of CVE-2026-39327. Notes: All CVE users should reference CVE-2026-39327 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Churchcrm
  • Churchcrm

No data.

No data.

References

No reference.

History

Thu, 09 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description This CVE is a duplicate of another CVE. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39327. Reason: This candidate is a duplicate of CVE-2026-39327. Notes: All CVE users should reference CVE-2026-39327 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE.

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Wed, 08 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 08 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in MemberRoleChange.php
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, the NewRole POST parameter in src/MemberRoleChange.php is used in an SQL query without proper integer validation, allowing authenticated users to inject arbitrary SQL. The attack requires an authenticated session with ManageGroups role, knowledge of a valid GroupID and PersonID (obtainable from GroupView or PersonView pages) This vulnerability is fixed in 7.1.0. This CVE is a duplicate of another CVE.

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, the NewRole POST parameter in src/MemberRoleChange.php is used in an SQL query without proper integer validation, allowing authenticated users to inject arbitrary SQL. The attack requires an authenticated session with ManageGroups role, knowledge of a valid GroupID and PersonID (obtainable from GroupView or PersonView pages) This vulnerability is fixed in 7.1.0.
Title SQL Injection in MemberRoleChange.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}
cve-icon MITRE

Status: REJECTED

Assigner: GitHub_M

Published: 2026-04-07T15:49:55.587Z

Updated: 2026-04-09T16:51:09.351Z

Reserved: 2026-04-03T20:09:02.826Z

Link: CVE-2026-35567

cve-icon Vulnrichment

Updated:

cve-icon NVD

Status : Rejected

Published: 2026-04-07T16:16:29.747

Modified: 2026-04-09T17:16:26.053

Link: CVE-2026-35567

cve-icon Redhat

No data.