Description
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.
Published: 2026-05-12
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated remote code execution vulnerability exists in ChurchCRM’s setup wizard because the DB_PASSWORD input field is not properly sanitized. An attacker can supply crafted input that is executed as code on the server, allowing arbitrary execution before any authentication occurs. The weakness is a classic code injection flaw (CWE‑94).

Affected Systems

The vulnerability affects all ChurchCRM installations prior to version 7.3.2. Any instance running a ChurchCRM:CRM product older than 7.3.2 is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 10 the risk is critical. The EPSS score is not available, but the vulnerability is publicly documented and the setup wizard is accessible without credentials, making exploitation straightforward. The CVE is not listed in the CISA KEV catalog at this time. An attacker can remotely craft the DB_PASSWORD field to inject code, bypassing authentication entirely.

Generated by OpenCVE AI on May 12, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.3.2 or newer to obtain the fixed setup wizard.
  • Restrict network or firewall access to the setup wizard endpoint until the upgrade is applied to prevent unauthenticated use.
  • Ensure the DB_PASSWORD input is validated or sanitized—ideally by using prepared statements—to eliminate the injection vector if an upgrade is not immediately possible.

Generated by OpenCVE AI on May 12, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.
Title ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-18T14:35:42.523Z

Reserved: 2026-04-26T12:13:55.551Z

Link: CVE-2026-42288

cve-icon Vulnrichment

Updated: 2026-05-18T14:34:53.436Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T23:16:17.600

Modified: 2026-05-18T16:16:30.823

Link: CVE-2026-42288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T09:45:09Z

Weaknesses