Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The "$dbPassword" variable is not sanitized. This vulnerability exists due to an incomplete fix for CVE-2025-62521. This vulnerability is fixed in 7.1.0.
Published: 2026-04-07
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in ChurchCRM allows attackers to execute arbitrary PHP code during the initial setup wizard. Because the $dbPassword variable is not sanitized, an unauthenticated user can inject malicious scripts, leading to full control over the web server. The identified weakness corresponds to unsanitized code injection, classified as CWE‑94.

Affected Systems

ChurchCRM version 7.0.x and earlier are affected. The issue was addressed in release 7.1.0. Any deployment of ChurchCRM before this patch that exposes the setup wizard is vulnerable.

Risk and Exploitability

The CVSS score of 10 indicates critical severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not yet listed in the CISA KEV catalog, but its nature allows attackers who can reach the installation page to run code without authentication, potentially leading to remote attacks. Because the exploit requires only web access to the setup wizard and no credential, the attack vector is network‑based and unauthenticated.

Generated by OpenCVE AI on April 10, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ChurchCRM 7.1.0 or later.
  • If unable to upgrade immediately, disable or delete the setup wizard URL to prevent unauthenticated use.
  • Ensure the web server user runs with least privilege and restrict write permissions on application files.

Generated by OpenCVE AI on April 10, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The "$dbPassword" variable is not sanitized. This vulnerability exists due to an incomplete fix for CVE-2025-62521. This vulnerability is fixed in 7.1.0.
Title ChurchCRM Affected by Unauthenticated RCE in Install Wizard
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T18:41:52.764Z

Reserved: 2026-04-06T20:28:38.393Z

Link: CVE-2026-39337

cve-icon Vulnrichment

Updated: 2026-04-07T18:41:49.763Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:45.630

Modified: 2026-04-10T20:57:31.233

Link: CVE-2026-39337

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:26:25Z

Weaknesses