ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.
The vulnerability results from insufficient sanitization of the DB_PASSWORD parameter passed by the configuration wizard (setup wizard) of the ChurchCRM system. The earlier patch for CVE-2026-39337 proved incomplete and does not eliminate the actual attack vector. Unsanitized input data reaches the code interpreter (CWE-94 — code injection), enabling injection and execution of arbitrary code on the server side without the need to log in to the application.
An unauthenticated remote attacker can execute arbitrary code on the server (RCE), gaining full control over the system, including access to church data, ability to modify or delete data, and further movement within the internal network.
ChurchCRM must be immediately updated to version 7.3.2 or later, where the vulnerability has been patched. Until the update is applied, it is recommended to block access to the configuration wizard (setup wizard) at the firewall or web server level.
ChurchCRM in all versions before 7.3.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H