{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35567", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "REJECTED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T20:09:02.826Z", "datePublished": "2026-04-07T15:49:55.587Z", "dateUpdated": "2026-04-09T16:51:09.351Z", "dateRejected": "2026-04-08T21:07:42.669Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39327. Reason: This candidate is a duplicate of CVE-2026-39327. Notes: All CVE users should reference CVE-2026-39327 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE."}], "replacedBy": ["CVE-2026-39327"], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:51:09.351Z"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35567", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "REJECTED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T20:09:02.826Z", "datePublished": "2026-04-07T15:49:55.587Z", "dateUpdated": "2026-04-09T16:51:09.351Z", "dateRejected": "2026-04-08T21:07:42.669Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39327. Reason: This candidate is a duplicate of CVE-2026-39327. Notes: All CVE users should reference CVE-2026-39327 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE."}], "replacedBy": ["CVE-2026-39327"], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:51:09.351Z"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39327. Reason: This candidate is a duplicate of CVE-2026-39327. Notes: All CVE users should reference CVE-2026-39327 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE."}], "id": "CVE-2026-35567", "lastModified": "2026-04-09T17:16:26.053", "metrics": {}, "published": "2026-04-07T16:16:29.747", "references": [], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Rejected"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.0)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-07T22:09:43.323344+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to 7.1.0 or later.", "Limit the ManageGroups role to trusted administrators.", "Enforce least privilege for all users to reduce the attack surface.", "Monitor database logs for unexpected queries related to MemberRoleChange.php."], "summary": {"action": "Patch Now", "impact": "Data Compromise via SQL Injection"}, "threat_synthesis": {"affected_systems": "ChurchCRM, an open\u2011source church management solution, is affected in all releases prior to version 7.1.0. The issue resides in the Community Relationship Management (CRM) component, specifically src/MemberRoleChange.php. Administrators using older installations are at risk unless they upgrade to the patched 7.1.0 release.", "description_and_impact": "An authenticated user holding the ManageGroups role can craft a POST request to MemberRoleChange.php using a malicious NewRole parameter. Because the parameter is inserted into an SQL command without proper integer validation, the attacker can inject arbitrary SQL statements. The resulting vulnerability is a classic SQL injection, identified as CWE\u201189, that allows the authenticated user to read, modify, or delete data in the ChurchCRM database, potentially leading to data compromise and loss of integrity.", "risk_and_exploitability": "The CVSS score of 8.8 reflects high severity, and the lack of an EPSS score means we cannot quantify likelihood from that metric. The vulnerability requires an authenticated session with ManageGroups privileges and knowledge of a valid group ID and person ID, which can be discovered via GroupView or PersonView interfaces. Because these prerequisites are readily available to a regular user who can navigate the system, the risk of exploitation is significant. The vulnerability was addressed in version 7.1.0, which deploys proper integer validation and eliminates the injection path."}}}}, "created": "2026-04-08T19:48:11.104735+00:00", "updated": "2026-04-09T08:24:10.896028+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}