CRITICAL🇵🇱 Wersja polska

CVE-2026-42288

CVSS 10.0v3.1pub. 2026-05-12upd. 2026-05-18

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.

🤖 AI Analysis
How it works

The vulnerability results from insufficient sanitization of the DB_PASSWORD parameter passed by the configuration wizard (setup wizard) of the ChurchCRM system. The earlier patch for CVE-2026-39337 proved incomplete and does not eliminate the actual attack vector. Unsanitized input data reaches the code interpreter (CWE-94 — code injection), enabling injection and execution of arbitrary code on the server side without the need to log in to the application.

Impact

An unauthenticated remote attacker can execute arbitrary code on the server (RCE), gaining full control over the system, including access to church data, ability to modify or delete data, and further movement within the internal network.

Mitigation & patch

ChurchCRM must be immediately updated to version 7.3.2 or later, where the vulnerability has been patched. Until the update is applied, it is recommended to block access to the configuration wizard (setup wizard) at the firewall or web server level.

Who is affected

ChurchCRM in all versions before 7.3.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References