CVE-2026-35566 - Vulnerability Details

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39319. Reason: This candidate is a duplicate of CVE-2026-39319. Notes: All CVE users should reference CVE-2026-39319 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

No reference.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description	ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in src/Reports/FundRaiserStatement.php where the $_SESSION['iCurrentFundraiser'] value is used in an unquoted numeric SQL context without integer validation. The value originates from src/FundRaiserEditor.php where InputUtils::legacyFilterInputArr() is called without the 'int' type specifier. This vulnerability is fixed in 7.1.0.	REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39319. Reason: This candidate is a duplicate of CVE-2026-39319. Notes: All CVE users should reference CVE-2026-39319 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE.
Title	ChurchCRM has a SQL Injection via Unquoted Session Value in FundRaiserStatement.php
Weaknesses	CWE-89
References	https://github.com/ChurchCRM/CRM/security/advisories/GHSA-grq6-q49f-44xh
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 07 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in src/Reports/FundRaiserStatement.php where the $_SESSION['iCurrentFundraiser'] value is used in an unquoted numeric SQL context without integer validation. The value originates from src/FundRaiserEditor.php where InputUtils::legacyFilterInputArr() is called without the 'int' type specifier. This vulnerability is fixed in 7.1.0.
Title		ChurchCRM has a SQL Injection via Unquoted Session Value in FundRaiserStatement.php
Weaknesses		CWE-89
References		https://github.com/ChurchCRM/CRM/security/advisories/GHSA-grq6-q49f-44xh
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: REJECTED

Assigner: GitHub_M

Published: 2026-04-07T15:48:33.952Z

Updated: 2026-04-07T18:27:20.468Z

Reserved: 2026-04-03T20:09:02.826Z

Link: CVE-2026-35566

Vulnrichment

No data.

NVD

Status : Rejected

Published: 2026-04-07T16:16:29.587

Modified: 2026-04-07T19:16:44.447

Link: CVE-2026-35566

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object