{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39323", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "REJECTED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T19:31:07.266Z", "datePublished": "2026-04-07T17:28:37.122Z", "dateUpdated": "2026-04-09T17:19:47.880Z", "dateRejected": "2026-04-08T21:11:49.399Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39326. Reason: This candidate is a duplicate of CVE-2026-39326. Notes: All CVE users should reference CVE-2026-39326 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE."}], "replacedBy": ["CVE-2026-39326"], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:19:47.880Z"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39323", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "REJECTED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T19:31:07.266Z", "datePublished": "2026-04-07T17:28:37.122Z", "dateUpdated": "2026-04-09T17:19:47.880Z", "dateRejected": "2026-04-08T21:11:49.399Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39326. Reason: This candidate is a duplicate of CVE-2026-39326. Notes: All CVE users should reference CVE-2026-39326 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE."}], "replacedBy": ["CVE-2026-39326"], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:19:47.880Z"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39326. Reason: This candidate is a duplicate of CVE-2026-39326. Notes: All CVE users should reference CVE-2026-39326 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE."}], "id": "CVE-2026-39323", "lastModified": "2026-04-09T18:17:01.807", "metrics": {}, "published": "2026-04-07T18:16:43.240", "references": [], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Rejected"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.0)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-07T22:01:58.574073+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version 7.1.0 or later."], "summary": {"action": "Immediate Patch", "impact": "Data Compromise via SQL Injection"}, "threat_synthesis": {"affected_systems": "ChurchCRM, version prior to 7.1.0. The affected product is the ChurchCRM CRM component as listed by the CNA. The fix was introduced in version 7.1.0.", "description_and_impact": "This vulnerability allows authenticated users with Manage Properties permission to execute arbitrary SQL commands by injecting payloads into the Name and Description fields of PropertyTypeEditor.php. Because the input is sanitized only with strip_tags() before direct concatenation into queries, SQL injection occurs. Attackers can exfiltrate sensitive data, modify records, or delete data. The injected data can persist in the database and appear on multiple pages without output encoding, enabling cross\u2011page data exposure.", "risk_and_exploitability": "The CVSS base score of 8.8 indicates high severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Authentication and Manage Properties permission are required, implying the threat vector is local/internal to an authenticated user. No public exploit is documented, but the high severity, persistence of injected data, and potential for data exfiltration and modification make the risk significant for organizations running vulnerable versions."}}}}, "created": "2026-04-08T19:47:14.866208+00:00", "updated": "2026-04-09T08:23:57.781649+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}