๐Ÿ” CVE Alert

CVE-2026-44418

UNKNOWN 0.0

Incomplete fix for CVE-2026-35184: SQL Injection in phili67/ecclesiacrm

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput() function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly into SQL queries via str_replace without any sanitization, enabling SQL injection through query parameters that use non-standard validation types. This is caused by an incomplete fix for CVE-2026-35184.

CWE CWE-89
Vendor phili67
Product ecclesiacrm
Published May 13, 2026
Stay Ahead of the Next One

Get instant alerts for phili67 ecclesiacrm

Be the first to know when new unknown vulnerabilities affecting phili67 ecclesiacrm are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

phili67 / ecclesiacrm
<= 8.0.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/phili67/ecclesiacrm/security/advisories/GHSA-vmgq-gpf9-mjjj github.com: https://github.com/phili67/ecclesiacrm/commit/f743b97f89da469a4c70b82bd61d0a59a3a957a9