CVE-2026-39337

ChurchCRM Affected by Unauthenticated RCE in Install Wizard

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The "$dbPassword" variable is not sanitized. This vulnerability exists due to an incomplete fix for CVE-2025-62521. This vulnerability is fixed in 7.1.0.

INFO

Published Date :

2026-04-07T18:08:27.227Z

Last Modified :

2026-04-07T18:41:52.764Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-39337 vulnerability.

Vendors	Products
Churchcrm	Churchcrm

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39337.

URL	Resource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pm2v-ggh4-mp7p

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact