CVE-2026-39337
ChurchCRM · ChurchCRM
A pre-authentication remote code execution vulnerability in the ChurchCRM setup wizard allows unauthenticated attackers to inject arbitrary PHP code, resulting in full server compromise.
Executive summary
A critical pre-authentication remote code execution vulnerability in the ChurchCRM setup wizard allows unauthenticated attackers to achieve full server compromise.
Vulnerability
This is a pre-authentication remote code execution vulnerability originating from improper sanitization of the "$dbPassword" variable during the installation process. It serves as an incomplete remediation for a previous vulnerability (CVE-2025-62521).
Business impact
Successful exploitation grants an attacker complete control over the underlying server, enabling data theft, lateral movement, and the installation of persistent backdoors. Given the critical CVSS score of 10, this vulnerability represents an existential threat to the integrity and availability of the affected infrastructure.
Remediation
Immediate Action: Update ChurchCRM to version 7.1.0 immediately; if installation is currently in progress, ensure the environment is isolated until the patch is applied.
Proactive Monitoring: Audit server logs for unexpected execution of PHP files or anomalous processes initiated during or after the installation phase.
Compensating Controls: Ensure the installation directory is protected by strict file system permissions and restrict public access to the setup wizard interface.
Exploitation status
Public Exploit Available: Not specified.
Analyst recommendation
This vulnerability represents the highest level of risk, allowing for total server takeover. It is imperative that administrators verify their ChurchCRM installations are updated to 7.1.0 to prevent remote command execution and maintain the security of the host environment.