CVE-2026-39337
Published April 7, 2026 · Updated April 8, 2026
What This Means
CVE-2026-39337 is a critical pre-authentication remote code execution vulnerability in ChurchCRM versions prior to 7.1.0. Unauthenticated attackers can exploit this flaw in the setup wizard to inject arbitrary PHP code, resulting in full server compromise. To mitigate this risk, upgrade to ChurchCRM version 7.1.0 or later immediately.
Official Description+
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The "$dbPassword" variable is not sanitized. This vulnerability exists due to an incomplete fix for CVE-2025-62521. This vulnerability is fixed in 7.1.0.
Recommended Actions
- Check if your systems use any of the affected products listed above.
- Apply vendor patches immediately if available.
- Monitor vendor advisories for updates and additional mitigations.
- Review logs for indicators of compromise related to CVE-2026-39337.