{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40482", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.114Z", "datePublished": "2026-04-17T22:58:48.528Z", "dateUpdated": "2026-04-17T22:58:48.528Z"}, "containers": {"cna": {"title": "ChurchCRM has Authenticated SQL Injection in `/api/families/byCheckNumber/{scanString}`", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc37-vx3w-34fg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc37-vx3w-34fg"}, {"name": "https://github.com/ChurchCRM/CRM/pull/8607", "tags": ["x_refsource_MISC"], "url": "https://github.com/ChurchCRM/CRM/pull/8607"}, {"name": "https://github.com/ChurchCRM/CRM/commit/214694eb83778e1f5e52b3dfa2a99d0e965c1850", "tags": ["x_refsource_MISC"], "url": "https://github.com/ChurchCRM/CRM/commit/214694eb83778e1f5e52b3dfa2a99d0e965c1850"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 7.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T22:58:48.528Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0."}], "source": {"advisory": "GHSA-hc37-vx3w-34fg", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0."}], "id": "CVE-2026-40482", "lastModified": "2026-04-18T00:16:39.110", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T00:16:39.110", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/commit/214694eb83778e1f5e52b3dfa2a99d0e965c1850"}, {"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/pull/8607"}, {"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc37-vx3w-34fg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:50:25.228564+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version 7.2.0 or later, which contains the fixed query handling logic.", "Confirm that all API requests to /api/families/byCheckNumber/{scanString} require proper authentication before processing the parameter.", "Apply input validation or parameterized queries for any custom extensions or modules that interact with the database to prevent future injection points."], "summary": {"action": "Immediate Patch", "impact": "Authenticated SQL Injection"}, "threat_synthesis": {"affected_systems": "ChurchCRM (CRM) versions prior to 7.2.0 are affected. The issue was identified in the FinancialService::getMemberByScanString() method and is fixed in release 7.2.0.", "description_and_impact": "The vulnerability exists in the /api/families/byCheckNumber/{scanString} endpoint of ChurchCRM, where user\u2011supplied input is concatenated into a raw SQL query without proper sanitization. This allows an authenticated attacker to manipulate the SQL statement, potentially extracting, modifying, or deleting data from the database. The flaw is a classic SQL injection (CWE\u201189) that compromises confidentiality, integrity, and availability of financial records.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high severity for authenticated users. Since no EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, the likelihood of immediate exploitation appears moderate, though the authenticated nature of the endpoint means any user with access can potentially leverage the flaw. Ingress would involve interacting with the vulnerable API endpoint after authentication, making mitigation a priority."}}}}, "created": "2026-04-18T09:00:05.893562+00:00", "updated": "2026-04-18T09:00:05.893571+00:00", "vendors": []}