{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34402", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "REJECTED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:45:29.620Z", "datePublished": "2026-04-06T15:27:09.103Z", "dateUpdated": "2026-04-09T16:52:13.843Z", "dateRejected": "2026-04-08T21:09:21.775Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39330. Reason: This candidate is a duplicate of CVE-2026-39330. Notes: All CVE users should reference CVE-2026-39330 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE."}], "replacedBy": ["CVE-2026-39330"], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:52:13.843Z"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34402", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "REJECTED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:45:29.620Z", "datePublished": "2026-04-06T15:27:09.103Z", "dateUpdated": "2026-04-09T16:52:13.843Z", "dateRejected": "2026-04-08T21:09:21.775Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39330. Reason: This candidate is a duplicate of CVE-2026-39330. Notes: All CVE users should reference CVE-2026-39330 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE."}], "replacedBy": ["CVE-2026-39330"], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:52:13.843Z"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39330. Reason: This candidate is a duplicate of CVE-2026-39330. Notes: All CVE users should reference CVE-2026-39330 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE."}], "id": "CVE-2026-34402", "lastModified": "2026-04-09T18:16:59.240", "metrics": {}, "published": "2026-04-06T16:16:35.560", "references": [], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Rejected"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.0)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-06T19:41:09.789610+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version 7.1.0 or later where the issue is fixed", "If an immediate upgrade is not possible, remove Edit Records and Manage Groups permissions from users until the patch is applied", "Disable or restrict access to the PropertyAssign.php endpoint if feasible"], "summary": {"action": "Immediate Patch", "impact": "Remote Data Theft and Modification"}, "threat_synthesis": {"affected_systems": "ChurchCRM versions prior to 7.1.0 are affected. Users running the open-source church management system who have the Edit Records or Manage Groups role can exploit the vulnerability. The vulnerability exists in the PropertyAssign.php module, which handles property assignments within the application.", "description_and_impact": "A time-based blind SQL injection exists in the PropertyAssign.php endpoint of ChurchCRM. The flaw allows an attacker possessing authenticated access with Edit Records or Manage Groups permissions to execute arbitrary SQL statements. As a result, credentials, personal identifiable information, and configuration secrets can be read or altered, leading to potential data breach and system compromise.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity, and while EPSS data is unavailable, the absence in KEV suggests it has not been widely exploited yet. The flaw requires authenticated privileged users; therefore, internal threat actors or compromised accounts pose the primary risk. Exploitation requires a timing attack and careful observation of response delays, which can be difficult for automated attacks but not impossible for an attacker experienced with blind SQL injection."}}}}, "created": "2026-04-06T20:14:04.748769+00:00", "updated": "2026-04-06T21:32:17.003808+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}