Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
ChurchCRM Prior to 7.2.0 Allows Attackers to Access Sensitive Data
CVE-2026-40482
Summary
The ChurchCRM system is vulnerable to a security risk that could allow hackers to access sensitive information. If left unpatched, this could lead to unauthorized access to financial and member data. Update to version 7.2.0 or later to fix this issue.
Original title
ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw ...
Original description
ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0.
nvd CVSS4.0
7.1
Vulnerability type
CWE-89
SQL Injection
Published: 18 Apr 2026 · Updated: 18 Apr 2026 · First seen: 18 Apr 2026