CVE-2026-40482

UNKNOWN 0.0

ChurchCRM has Authenticated SQL Injection in `/api/families/byCheckNumber/{scanString}`

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0.

CWE	CWE-89
Vendor	churchcrm
Product	crm
Published	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for churchcrm crm

Be the first to know when new unknown vulnerabilities affecting churchcrm crm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

ChurchCRM / CRM

< 7.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc37-vx3w-34fg github.com: https://github.com/ChurchCRM/CRM/pull/8607 github.com: https://github.com/ChurchCRM/CRM/commit/214694eb83778e1f5e52b3dfa2a99d0e965c1850