{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sqlinjection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-34402"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqlinjection","cve-2026-34402","churchcrm","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM is an open-source church management system. Prior to version 7.1.0, the application suffers from a time-based blind SQL injection vulnerability (CVE-2026-34402). Authenticated users with either \u0026ldquo;Edit Records\u0026rdquo; or \u0026ldquo;Manage Groups\u0026rdquo; permissions can exploit this flaw. Successful exploitation allows attackers to exfiltrate or modify any database content, which could include user credentials, personally identifiable information (PII), and configuration secrets. The vulnerable endpoint is \u003ccode\u003ePropertyAssign.php\u003c/code\u003e. This vulnerability was addressed and fixed in version 7.1.0 of ChurchCRM. Defenders should prioritize patching vulnerable instances to prevent unauthorized access and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for ChurchCRM, with \u0026ldquo;Edit Records\u0026rdquo; or \u0026ldquo;Manage Groups\u0026rdquo; permissions. This could be achieved through credential stuffing, password reuse, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003ePropertyAssign.php\u003c/code\u003e endpoint. This request contains a SQL injection payload within a parameter processed by the application.\u003c/li\u003e\n\u003cli\u003eThe application processes the malicious SQL query, injecting it into the database query without proper sanitization.\u003c/li\u003e\n\u003cli\u003eDue to the blind nature of the SQL injection, the attacker uses time-based techniques (e.g., \u003ccode\u003eSLEEP()\u003c/code\u003e) to infer information about the database structure and content.\u003c/li\u003e\n\u003cli\u003eThe attacker iterates through various SQL injection payloads, slowly extracting sensitive data such as usernames, password hashes, and other PII.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify database records to escalate privileges, create new administrative accounts, or sabotage the application\u0026rsquo;s functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data.\u003c/li\u003e\n\u003cli\u003eThe final objective is to compromise the confidentiality, integrity, and availability of the ChurchCRM database, potentially leading to significant data breaches and reputational damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34402 can have serious consequences. An attacker can gain unauthorized access to sensitive data stored within the ChurchCRM database. This includes user credentials, PII, and configuration secrets. The attacker can also modify database records, potentially disrupting church operations or causing financial harm. Given the sensitive nature of the data often stored in church management systems, the impact of this vulnerability could be substantial. The vulnerability affects ChurchCRM installations prior to version 7.1.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM installations to version 7.1.0 or later to remediate CVE-2026-34402.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting requests to PropertyAssign.php with sleep commands to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003ePropertyAssign.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block SQL injection attempts.\u003c/li\u003e\n\u003cli\u003eReview user access controls within ChurchCRM to ensure that only authorized personnel have \u0026ldquo;Edit Records\u0026rdquo; or \u0026ldquo;Manage Groups\u0026rdquo; permissions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:35Z","date_published":"2026-04-06T16:16:35Z","id":"/briefs/2026-04-churchcrm-sql-injection/","summary":"CVE-2026-34402 is a time-based blind SQL injection vulnerability in ChurchCRM versions prior to 7.1.0. Authenticated users with Edit Records or Manage Groups permissions can exploit the PropertyAssign.php endpoint to exfiltrate or modify database content, including user credentials, PII, and configuration secrets.","title":"ChurchCRM Time-Based Blind SQL Injection Vulnerability (CVE-2026-34402)","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5646"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqlinjection","cve-2026-5646","webapplication"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in code-projects Easy Blog Site 1.0, specifically affecting the login.php file. This vulnerability allows a remote attacker to inject malicious SQL code through the username and password parameters. The vulnerability, identified as CVE-2026-5646, stems from improper sanitization of user-supplied input, potentially allowing attackers to bypass authentication or extract sensitive data from the application\u0026rsquo;s database. The exploit has been publicly disclosed, increasing the risk of widespread exploitation. The scope of the impact depends on the database privileges of the account used by the web application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies the login page (login.php) of the Easy Blog Site 1.0 application.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SQL injection payload embedded within the username or password parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to login.php, including the SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s login.php script fails to properly sanitize the username or password input.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is passed directly into an SQL query executed against the database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed by the database server, modifying the query\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eDepending on the injected SQL, the attacker may bypass authentication or extract data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the application or exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-5646) in Easy Blog Site 1.0 can lead to a range of consequences, including unauthorized access to sensitive user data, modification of application data, or complete compromise of the database server. Given the public disclosure of the exploit, vulnerable installations are at high risk of being targeted by attackers seeking to gain unauthorized access or steal data. The impact is higher if the database user has elevated privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for suspicious POST requests to \u003ccode\u003elogin.php\u003c/code\u003e containing SQL syntax within the \u003ccode\u003eusername\u003c/code\u003e or \u003ccode\u003epassword\u003c/code\u003e parameters to identify potential exploitation attempts (see example rule below).\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eusername\u003c/code\u003e and \u003ccode\u003epassword\u003c/code\u003e parameters in the \u003ccode\u003elogin.php\u003c/code\u003e file to prevent SQL injection, addressing CVE-2026-5646.\u003c/li\u003e\n\u003cli\u003eImplement parameterized queries or prepared statements in the application\u0026rsquo;s database interactions to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor database logs for anomalous SQL queries originating from the web application to detect potential breaches.\u003c/li\u003e\n\u003cli\u003eDeploy a Web Application Firewall (WAF) rule to block requests containing common SQL injection payloads targeting \u003ccode\u003elogin.php\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T11:17:03Z","date_published":"2026-04-06T11:17:03Z","id":"/briefs/2026-04-easy-blog-sql-injection/","summary":"A SQL injection vulnerability exists in code-projects Easy Blog Site 1.0 within the login.php file, exploitable remotely by manipulating the username/password parameters, potentially leading to unauthorized database access.","title":"SQL Injection Vulnerability in Easy Blog Site 1.0","url":"https://feed.craftedsignal.io/briefs/2026-04-easy-blog-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Sqlinjection","version":"https://jsonfeed.org/version/1.1"}