Search criteria
3 vulnerabilities by phili67
CVE-2026-44418 (GCVE-0-2026-44418)
Vulnerability from cvelistv5 – Published: 2026-05-13 20:58 – Updated: 2026-05-14 13:23
VLAI
Title
Incomplete fix for CVE-2026-35184: SQL Injection in phili67/ecclesiacrm
Summary
EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput() function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly into SQL queries via str_replace without any sanitization, enabling SQL injection through query parameters that use non-standard validation types. This is caused by an incomplete fix for CVE-2026-35184.
Severity
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/phili67/ecclesiacrm/security/a… | x_refsource_CONFIRM |
| https://github.com/phili67/ecclesiacrm/commit/f74… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| phili67 | ecclesiacrm |
Affected:
<= 8.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44418",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:22:36.502474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:23:43.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ecclesiacrm",
"vendor": "phili67",
"versions": [
{
"status": "affected",
"version": "\u003c= 8.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput() function\u0027s default case in EcclesiaCRM\u0027s query view passes user-supplied POST parameters directly into SQL queries via str_replace without any sanitization, enabling SQL injection through query parameters that use non-standard validation types. This is caused by an incomplete fix for CVE-2026-35184."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T20:58:38.439Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/phili67/ecclesiacrm/security/advisories/GHSA-vmgq-gpf9-mjjj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/phili67/ecclesiacrm/security/advisories/GHSA-vmgq-gpf9-mjjj"
},
{
"name": "https://github.com/phili67/ecclesiacrm/commit/f743b97f89da469a4c70b82bd61d0a59a3a957a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phili67/ecclesiacrm/commit/f743b97f89da469a4c70b82bd61d0a59a3a957a9"
}
],
"source": {
"advisory": "GHSA-vmgq-gpf9-mjjj",
"discovery": "UNKNOWN"
},
"title": "Incomplete fix for CVE-2026-35184: SQL Injection in phili67/ecclesiacrm"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44418",
"datePublished": "2026-05-13T20:58:38.439Z",
"dateReserved": "2026-05-06T14:40:00.952Z",
"dateUpdated": "2026-05-14T13:23:43.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6628 (GCVE-0-2026-6628)
Vulnerability from cvelistv5 – Published: 2026-04-20 10:00 – Updated: 2026-04-20 10:54
VLAI
Title
phili67 Ecclesia CRM Query Viewer view ValidateInput sql injection
Summary
A flaw has been found in phili67 Ecclesia CRM up to 8.0.0. This affects the function ValidateInput of the file /v2/query/view/ of the component Query Viewer Component. This manipulation of the argument custom causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/358262 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/358262/cti | signaturepermissions-required |
| https://vuldb.com/submit/792607 | third-party-advisory |
| https://github.com/NicolasPauferro/studiessqli | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| phili67 | Ecclesia CRM |
Affected:
8.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6628",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T10:54:17.230661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T10:54:35.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Query Viewer Component"
],
"product": "Ecclesia CRM",
"vendor": "phili67",
"versions": [
{
"status": "affected",
"version": "8.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Nicolas Pauferro (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in phili67 Ecclesia CRM up to 8.0.0. This affects the function ValidateInput of the file /v2/query/view/ of the component Query Viewer Component. This manipulation of the argument custom causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T10:00:16.739Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-358262 | phili67 Ecclesia CRM Query Viewer view ValidateInput sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/358262"
},
{
"name": "VDB-358262 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/358262/cti"
},
{
"name": "Submit #792607 | https://github.com/phili67/ecclesiacrm Ecclesia CRM \u003c 8.0.0 SQL Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/792607"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/NicolasPauferro/studiessqli"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-19T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-19T18:51:56.000Z",
"value": "VulDB entry last update"
}
],
"title": "phili67 Ecclesia CRM Query Viewer view ValidateInput sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-6628",
"datePublished": "2026-04-20T10:00:16.739Z",
"dateReserved": "2026-04-19T16:46:51.685Z",
"dateUpdated": "2026-04-20T10:54:35.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35184 (GCVE-0-2026-35184)
Vulnerability from cvelistv5 – Published: 2026-04-06 19:21 – Updated: 2026-04-07 19:25
VLAI
Title
EcclesiaCRM has a Critical SQL Injection
Summary
EcclesiaCRM is CRM Software for church management. Prior to 8.0.0, there is a SQL injection vulnerability in v2/templates/query/queryview.php via the custom and value parameters. This vulnerability is fixed in 8.0.0.
Severity
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/phili67/ecclesiacrm/security/a… | x_refsource_CONFIRM |
| https://github.com/phili67/ecclesiacrm/pull/2861 | x_refsource_MISC |
| https://github.com/phili67/ecclesiacrm/commit/f74… | x_refsource_MISC |
| https://gist.github.com/NicolasPauferro/d87799232… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| phili67 | ecclesiacrm |
Affected:
< 8.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-35184",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T19:24:22.399143Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T19:25:50.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ecclesiacrm",
"vendor": "phili67",
"versions": [
{
"status": "affected",
"version": "\u003c 8.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "EcclesiaCRM is CRM Software for church management. Prior to 8.0.0, there is a SQL injection vulnerability in v2/templates/query/queryview.php via the custom and value parameters. This vulnerability is fixed in 8.0.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T19:21:22.597Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/phili67/ecclesiacrm/security/advisories/GHSA-gjw3-73q9-v2qh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/phili67/ecclesiacrm/security/advisories/GHSA-gjw3-73q9-v2qh"
},
{
"name": "https://github.com/phili67/ecclesiacrm/pull/2861",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phili67/ecclesiacrm/pull/2861"
},
{
"name": "https://github.com/phili67/ecclesiacrm/commit/f743b97f89da469a4c70b82bd61d0a59a3a957a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phili67/ecclesiacrm/commit/f743b97f89da469a4c70b82bd61d0a59a3a957a9"
},
{
"name": "https://gist.github.com/NicolasPauferro/d877992327592f1e8eb4e2c9dce1ae9b",
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/NicolasPauferro/d877992327592f1e8eb4e2c9dce1ae9b"
}
],
"source": {
"advisory": "GHSA-gjw3-73q9-v2qh",
"discovery": "UNKNOWN"
},
"title": "EcclesiaCRM has a Critical SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35184",
"datePublished": "2026-04-06T19:21:22.597Z",
"dateReserved": "2026-04-01T17:26:21.134Z",
"dateUpdated": "2026-04-07T19:25:50.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}