How easily can this vulnerability be exploited?

Exploitability is generally high: an attacker who can control the `Field` parameter and send crafted HTTP requests can often inject SQL without needing deep knowledge of the application, especially if error messages or observable behavior reveal query structure.

Does an attacker need authenticated access to exploit this?

It depends on how the affected functionality is exposed in a given deployment. If the route using `GroupPropsFormRowOps.php` is reachable by unauthenticated users, no login is required; otherwise, low-privileged authenticated access may be sufficient as long as the user can influence the `Field` parameter.

What is the safest general fix pattern?

Refactor the code to remove direct concatenation of user input into SQL, use prepared statements for values, and handle the `Field` parameter via a strict server-side whitelist of allowed identifiers rather than trusting arbitrary strings from the client.

Severity:

HIGH RISK

(8.8)

SQL Injection via Improper Identifier Escaping (CWE-89) in ChurchCRM GroupPropsFormRowOps

CVE-2026-39318

Published:

Apr 7, 2026

Status:

Undergoing Analysis

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

NDV

Recent Vulnerabilities

CWE-77;CWE-78

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI Handler setAccessDeviceCfg

Remote Code Execution on the Router

April 12, 2026

CWE-77;CWE-78

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI setLedCfg Handler

Remote Code Execution on the Router

April 12, 2026

Vulnerability Type

Category:

SQL Injection

CWE:

CWE-89

Impact:

Arbitrary SQL Execution / Data Compromise

Severity:

HIGH RISK

(8.8)

CVSS Version:

3.1

Vulnerability Type

Category:

SQL Injection

CWE:

CWE-89

Impact:

Arbitrary SQL Execution / Data Compromise

Severity:

HIGH RISK

(8.8)

CVSS Version:

3.1

Catch This CVE While Code Is Being Written

Detect vulnerable code directly in pull requests, so CVEs are fixed before merge.

Get Started

Ship clean & secure code faster

START 14 DAYS FREE TRIAL

BOOK A DEMO

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

SQL Injection via Improper Identifier Escaping (CWE-89) in ChurchCRM GroupPropsFormRowOps

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

Recent Vulnerabilities

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI Handler setAccessDeviceCfg

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI setLedCfg Handler

Vulnerability Type

Vulnerability Type

Vulnerability Type

Catch This CVE While Code Is Being Written

Ship clean & secure code faster

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare