ChurchCRM is an open-source church management system. Prior to 7.1.0, authenticated users with Edit Records or Manage Groups permissions can exploit a time-based blind SQL injection vulnerability in the PropertyAssign.php endpoint to exfiltrate or modify any database content, including user credentials, personal identifiable information (PII), and configuration secrets. This vulnerability is fixed in 7.1.0.
| Vendor | Product | Versions |
|---|---|---|
| churchcrm | churchcrm | < 7.1.0 |
Updated severity to CRITICAL, marked as actively exploited, and added CVE-2026-34402 as a new tag.
Initial creation
