Back to search
CVE-2026-40482
Published: Apr 17, 2026
Modified: Apr 20, 2026
PUBLISHED
Description
ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0.
| Vendor | Product | Versions |
|---|---|---|
ChurchCRM | CRM | affected < 7.2.0 |
Weaknesses (CWE)
References
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc37-vx3w-34fg
x_refsource_CONFIRM
https://github.com/ChurchCRM/CRM/pull/8607
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now