CVE-2026-39337

ChurchCRM · ChurchCRM

A pre-authentication remote code execution vulnerability in the ChurchCRM setup wizard allows unauthenticated attackers to inject arbitrary PHP code, resulting in full server compromise.

Executive summary

A critical pre-authentication remote code execution vulnerability in the ChurchCRM setup wizard allows unauthenticated attackers to achieve full server compromise.

Vulnerability

This is a pre-authentication remote code execution vulnerability originating from improper sanitization of the "$dbPassword" variable during the installation process. It serves as an incomplete remediation for a previous vulnerability (CVE-2025-62521).

Business impact

Successful exploitation grants an attacker complete control over the underlying server, enabling data theft, lateral movement, and the installation of persistent backdoors. Given the critical CVSS score of 10, this vulnerability represents an existential threat to the integrity and availability of the affected infrastructure.

Remediation

Immediate Action: Update ChurchCRM to version 7.1.0 immediately; if installation is currently in progress, ensure the environment is isolated until the patch is applied.

Proactive Monitoring: Audit server logs for unexpected execution of PHP files or anomalous processes initiated during or after the installation phase.

Compensating Controls: Ensure the installation directory is protected by strict file system permissions and restrict public access to the setup wizard interface.

Exploitation status

Public Exploit Available: Not specified.

Analyst recommendation

This vulnerability represents the highest level of risk, allowing for total server takeover. It is imperative that administrators verify their ChurchCRM installations are updated to 7.1.0 to prevent remote command execution and maintain the security of the host environment.