{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39317", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "REJECTED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T19:31:07.266Z", "datePublished": "2026-04-07T17:20:02.186Z", "dateUpdated": "2026-04-09T17:18:27.227Z", "dateRejected": "2026-04-08T21:10:38.442Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39334. Reason: This candidate is a duplicate of CVE-2026-39334. Notes: All CVE users should reference CVE-2026-39334 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE."}], "replacedBy": ["CVE-2026-39334"], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:18:27.227Z"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39317", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "REJECTED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T19:31:07.266Z", "datePublished": "2026-04-07T17:20:02.186Z", "dateUpdated": "2026-04-08T21:10:38.442Z", "dateRejected": "2026-04-08T21:10:38.442Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "This CVE is a duplicate of another CVE."}], "replacedBy": ["CVE-2026-39334"], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T21:10:38.442Z"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39334. Reason: This candidate is a duplicate of CVE-2026-39334. Notes: All CVE users should reference CVE-2026-39334 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE."}], "id": "CVE-2026-39317", "lastModified": "2026-04-09T18:17:01.600", "metrics": {}, "published": "2026-04-07T18:16:42.667", "references": [], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Rejected"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.0)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-07T22:28:06.221500+00:00", "value": {"mitigation_remediation": ["Upgrade to ChurchCRM 7.1.0 or later to apply the sanitization fix", "Re-authenticate all users to invalidate potentially hijacked sessions", "Restrict database permissions to limit query capabilities for application users", "Monitor logs for anomalous queries indicating exploitation attempts"], "summary": {"action": "Patch immediately", "impact": "Data exfiltration via SQL injection by authenticated users"}, "threat_synthesis": {"affected_systems": "All installations of ChurchCRM older than version 7.1.0 are affected. The issue exists in the SettingsIndividual.php module within the ChurchCRM:CRM product. Administrators using version 7.0.x or earlier must be aware that users with valid credentials can leverage the flaw to pull confidential data from the database.", "description_and_impact": "A vulnerable array key in ChurchCRM's SettingsIndividual.php allows an attacker who has authenticated to inject arbitrary SQL. The unsanitized POST parameter is directly incorporated into SQL queries, enabling extraction of sensitive database contents. The flaw is rated CVSS 8.8, indicating high risk to confidentiality and integrity.", "risk_and_exploitability": "Because authentication is required, attackers need either compromised credentials or privileged user accounts. The high CVSS score signals a serious threat, but the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. Nevertheless, the attack path is straightforward once access is obtained, making rapid patching a priority."}}}}, "created": "2026-04-08T19:47:18.128181+00:00", "updated": "2026-04-09T08:24:00.861951+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}