CRITICAL🇵🇱 Wersja polska

CVE-2026-39337

CVSS 10.0v3.1pub. 2026-04-07upd. 2026-04-10

ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The "$dbPassword" variable is not sanitized. This vulnerability exists due to an incomplete fix for CVE-2025-62521. This vulnerability is fixed in 7.1.0.

🤖 AI Analysis
How it works

The ChurchCRM installation wizard does not sanitize the `$dbPassword` variable, which allows an attacker to inject arbitrary PHP code without authentication. The vulnerability is the result of an incomplete patch for the previous CVE-2025-62521 vulnerability, which did not cover all dangerous entry points. The payload passed by the attacker can be executed directly by the server during the application configuration process.

Impact

An attacker without any privileges can execute arbitrary code on the server and gain full control of the system, including access to all user data, databases, and the ability to install backdoors.

Mitigation & patch

ChurchCRM must be immediately updated to version 7.1.0, in which the vulnerability has been fixed. If an update is not possible — network access to the installation wizard (setup wizard) must be blocked until the patch is deployed.

Who is affected

ChurchCRM in versions before 7.1.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Churchcrm

    APP
    Churchcrm
    < 7.1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References

Related vulnerabilities

CVE-2026-39342CRITICAL9.4PL ✓ten sam produkt

SQL Injection w ChurchCRM przez parametr searchwhat (QueryView.php)

CVE-2026-39339CRITICAL9.1PL ✓ten sam produkt

ChurchCRM — krytyczny auth bypass w API middleware

CVE-2026-35573CRITICAL9.1PL ✓ten sam produkt

ChurchCRM: Path Traversal i RCE przez funkcję przywracania kopii zapasowej

CVE-2025-68110CRITICAL9.9PL ✓ten sam produkt

ChurchCRM: ujawnienie danych logowania do bazy danych w komunikacie błędu

CVE-2025-67876CRITICAL9.3PL ✓ten sam produkt

Stored XSS w ChurchCRM — przejęcie konta przez nazwy ról grup