CVE-2026-44418
Incomplete fix for CVE-2026-35184: SQL Injection in phili67/ecclesiacrm
EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput() function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly into SQL queries via str_replace without any sanitization, enabling SQL injection through query parameters that use non-standard validation types. This is caused by an incomplete fix for CVE-2026-35184.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Productos afectados
phili67 · ecclesiacrm¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →