CVE-2026-44418

Source
https://cve.org/CVERecord?id=CVE-2026-44418
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44418.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44418
Aliases
  • GHSA-vmgq-gpf9-mjjj
Published
2026-05-13T20:58:38.439Z
Modified
2026-07-08T08:18:00.088844044Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Incomplete fix for CVE-2026-35184: SQL Injection in phili67/ecclesiacrm
Details

EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput() function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly into SQL queries via str_replace without any sanitization, enabling SQL injection through query parameters that use non-standard validation types. This is caused by an incomplete fix for CVE-2026-35184.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44418.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

Git / github.com/phili67/ecclesiacrm

Affected ranges

Type
GIT
Repo
https://github.com/phili67/ecclesiacrm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.0.0"
        }
    ]
}

Affected versions

2.*
2.0.0
2.0.0-RC2
2.0.1
2.1.0
2.1.1
2.1.10
2.1.11
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
2.6.3
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.8.0
2.8.0-RC1
2.8.0-RC2
2.8.1
2.8.10
2.8.11
2.8.12
2.8.13
2.8.14
2.8.15
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
3.*
3.0.0
3.1.0
3.2.0
3.2.1
3.3.0
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.5.0
3.6.0
3.6.1
3.6.2
4.*
4.0.0
4.1.0
4.2.0
4.3.0
4.3.1
4.4.0
4.4.1
4.4.2
4.5.0
4.5.1
4.5.2
4.6.0
4.6.1
4.6.2
4.7.0
4.7.1
4.7.2
4.7.3
4.7.4
4.7.5
4.7.6
4.8.0
4.9.0
4.9.1
4.9.2
5.*
5.0.0
5.1.0
5.2.0
5.3.0
5.3.1
5.4.0
5.4.1
5.4.2
5.4.3
5.5.0
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.6.0
5.6.1
5.6.2
5.7.0
5.8.0
5.8.1
5.8.2
5.8.3
5.8.4
5.8.5
5.8.6
6.*
6.0.0
6.0.1
7.*
7.0.0
7.5.0
7.6.1
8.*
8.0.0
Other
untagged-0e6e5655727964439a56
v8.*
v8.0.0-GM.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44418.json"