Vendor
ChurchCRM SQL Injection Vulnerability in PropertyTypeEditor.php
2 rules 1 TTP 1 CVEA critical SQL injection vulnerability (CVE-2026-39323) in ChurchCRM versions prior to 7.1.0 allows authenticated users with 'Manage Properties' permission to execute arbitrary SQL commands via unsanitized POST parameters in PropertyTypeEditor.php, leading to potential data exfiltration, modification, or deletion.
ChurchCRM Remote Code Execution via Backup Restore Vulnerability (CVE-2026-40484)
3 rules 2 TTPs 1 CVEChurchCRM versions before 7.2.0 are vulnerable to remote code execution (RCE) due to insufficient file extension filtering during database backup restoration, allowing an authenticated administrator to upload a crafted archive containing a PHP webshell that can be executed via HTTP requests.
ChurchCRM < 7.2.0 Family Record Deletion CSRF Vulnerability
2 rules 1 TTP 1 CVEChurchCRM versions prior to 7.2.0 are vulnerable to a CSRF attack on the family record deletion endpoint allowing an attacker to trigger deletion of family records by enticing an authenticated administrator to visit a malicious page.