ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in src/Reports/FundRaiserStatement.php where the $_SESSION['iCurrentFundraiser'] value is used in an unquoted numeric SQL context without integer validation. The value originates from src/FundRaiserEditor.php where InputUtils::legacyFilterInputArr() is called without the 'int' type specifier. This vulnerability is fixed in 7.1.0.
| Vendor | Product | Versions |
|---|---|---|
| ChurchCRM | CRM | < 7.1.0 |
Updated description with new technical details, changed affected versions to < 7.0.0, updated severity to CRITICAL, and added CVE-2026-35566 as a tag.
Initial creation
