Ghostwire
Home / Vulnerabilities / CVE-2026-40482

CVE-2026-40482: ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in...

HIGH CVSS 7.5

Published: April 18, 2026 | Last Modified: April 18, 2026

Description

ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (2 articles)

CVE Feed
CVE-2026-40482 - ChurchCRM has Authenticated SQL Injection in `/api/families/byCheckNumber/{scanString}`
 Tenable CVEs
CVE-2026-40482

References