CVE-2026-39337— ChurchCRM Affected by Unauthenticated RCE in Install Wizard
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-39337
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ChurchCRM Affected by Unauthenticated RCE in Install Wizard
Source: NVD (National Vulnerability Database)
Vulnerability Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The "$dbPassword" variable is not sanitized. This vulnerability exists due to an incomplete fix for CVE-2025-62521. This vulnerability is fixed in 7.1.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
ChurchCRM 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
ChurchCRM是ChurchCRM开源的一个为教会打造的开源 CRM 系统。 ChurchCRM 7.1.0之前版本存在代码注入漏洞,该漏洞源于安装向导中$dbPassword变量未清理,可能导致预身份验证远程代码执行和服务器完全被控制。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
II. Public POCs for CVE-2026-39337
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-39337
请登录查看更多情报信息。
Same Patch Batch · ChurchCRM · 2026-04-07 · 28 CVEs total
| CVE-2026-35573 | 9.1 CRITICAL | ChurchCRM has a Path traversal leads to RCE |
| CVE-2026-39339 | 9.1 CRITICAL | ChurchCRM has an API Authentication Bypass |
| CVE-2026-39328 | 8.9 HIGH | ChurchCRM has Stored XSS in Social Profile Fields |
| CVE-2026-39326 | 8.8 HIGH | ChurchCRM has a Blind SQL injection in PropertyTypeEditor.php |
| CVE-2026-39334 | 8.8 HIGH | ChurchCRM has a Blind SQL injection in SettingsIndividual.php |
| CVE-2026-39327 | 8.8 HIGH | ChurchCRM has a SQL injection in MemberRoleChange.php |
| CVE-2026-39319 | 8.8 HIGH | ChurchCRM has a Second Order SQLI via FundRaiserEditor.php |
| CVE-2026-39329 | 8.8 HIGH | ChurchCRM has a Blind SQL injection in EventNames.php |
| CVE-2026-39318 | 8.8 HIGH | ChurchCRM has a DDL SQL Injection in GroupPropsFormRowOps.php |
| CVE-2026-39330 | 8.8 HIGH | ChurchCRM has a Blind SQL injection in PropertyAssign.php |
| CVE-2026-35576 | 8.7 HIGH | ChurchCRM has Stored Cross-Site Scripting (XSS) in Person Properties via PrintView.php |
| CVE-2026-39333 | 8.7 HIGH | ChurchCRM has Reflected XSS in DateStart/DateEnd parameters in FindFundRaiser.php |
| CVE-2026-39332 | 8.7 HIGH | ChurchCRM has Reflected Cross-Site Scripting (XSS) in GeoPage.php |
| CVE-2026-39340 | 8.1 HIGH | ChurchCRM has a SQL Injection in PropertyTypeEditor.php via Incorrect Sanitizer Substituti |
| CVE-2026-39341 | 8.1 HIGH | SQL injection in ChurchCRM.0 |
| CVE-2026-39331 | 8.1 HIGH | ChurchCRM has an API Authorization Bypass Allows Authenticated User to Deactivate, Modify, |
| CVE-2026-35575 | 8.0 HIGH | ChurchCRM has Stored XSS in Group Name |
| CVE-2026-35534 | 7.6 HIGH | ChurchCRM has Stored XSS in PersonView.php via Facebook Field Attribute Injection |
| CVE-2026-35574 | 7.3 HIGH | ChurchCRM has a Stored XSS in Person Profile - Add a Note |
| CVE-2026-39325 | 7.2 HIGH | ChurchCRM has a Blind SQL injection in SettingsUser.php |
Showing top 20 of 28 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: CRM
- CVE-2026-40593
ChurchCRM: Stored XSS in UserEditor.php via Login Name Field - CVE-2026-40581
ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete - CVE-2026-40485
ChurchCRM: Username Enumeration via Differential Response in - CVE-2026-40484
ChurchCRM: Authenticated Remote Code Execution via Unrestric - CVE-2026-40483
ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comme
Same vendor: ChurchCRM
- CVE-2026-40593
ChurchCRM: Stored XSS in UserEditor.php via Login Name Field - CVE-2026-40581
ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete - CVE-2026-40485
ChurchCRM: Username Enumeration via Differential Response in - CVE-2026-40484
ChurchCRM: Authenticated Remote Code Execution via Unrestric - CVE-2026-40483
ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comme
Same weakness: CWE-94
- CVE-2021-47939
Evolution CMS 3.1.6 Authenticated Remote Code Execution via - CVE-2021-47938
ImpressCMS 1.4.2 Remote Code Execution via Autotasks - CVE-2021-47935
Sentry 8.2.0 Remote Code Execution via Pickle Deserializatio - CVE-2022-50944
Aero CMS 0.0.1 PHP Code Injection via posts.php - CVE-2026-8211
codelibs Fess JSP File AdminDesignAction.java update code in
V. Comments for CVE-2026-39337
No comments yet