CVE-2026-6628

MEDIUM

phili67 Ecclesia CRM Query Viewer view ValidateInput sql injection

Title source: cna

Description

A flaw has been found in phili67 Ecclesia CRM up to 8.0.0. This affects the function ValidateInput of the file /v2/query/view/ of the component Query Viewer Component. This manipulation of the argument custom causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-358262 | phili67 Ecclesia CRM Query Viewer view ValidateInput sql injection

https://vuldb.com/vuln/358262

Signature, Permissions Required signature permissions-required

VDB-358262 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/358262/cti

Third Party Advisory third-party-advisory

Submit #792607 | https://github.com/phili67/ecclesiacrm Ecclesia CRM < 8.0.0 SQL Injection

https://vuldb.com/submit/792607

Exploit exploit

https://github.com/NicolasPauferro/studiessqli

View Exploit ZIP pw:eip

Scores

CVSS v3 6.3

EPSS 0.0020

EPSS Percentile 9.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-74 CWE-89

Status published

Products (1)

phili67/Ecclesia CRM 8.0

Published Apr 20, 2026

Tracked Since Apr 20, 2026