CVE-2026-35566

Publication date

2026-04-07 15:48:33

Family

GitHub_M

State

PUBLISHED

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in src/Reports/FundRaiserStatement.php where the $_SESSION[iCurrentFundraiser] value is used in an unquoted numeric SQL context without integer validation. The value originates from src/FundRaiserEditor.php where InputUtils::legacyFilterInputArr() is called without the int type specifier. This vulnerability is fixed in 7.1.0.