CVE-2026-42288— ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42288
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD
Source: NVD (National Vulnerability Database)
Vulnerability Description
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
ChurchCRM 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
ChurchCRM是ChurchCRM开源的一个为教会打造的开源 CRM 系统。 ChurchCRM 7.3.2之前版本存在代码注入漏洞,该漏洞源于CVE-2026-39337修复不完整,可能导致预认证远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-42288
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42288
请登录查看更多情报信息。
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-mp2w-4q3r-ppx7x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-42288
Same Patch Batch · ChurchCRM · 2026-05-12 · 4 CVEs total
| CVE-2026-44547 | 9.6 CRITICAL | ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and acco |
| CVE-2026-42289 | 8.8 HIGH | ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admin Privilege Escalation |
| CVE-2026-44548 | 8.1 HIGH | ChurchCRM: CSRF via legacy GET-delete pages (FundRaiserDelete.php, PropertyTypeDelete.php, |
IV. Related Vulnerabilities
Same product: CRM
- CVE-2026-44548
ChurchCRM: CSRF via legacy GET-delete pages (FundRaiserDelet - CVE-2026-44547
ChurchCRM: Incomplete fix for CVE-2026-40582: public API log - CVE-2026-42289
ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admi - CVE-2026-40593
ChurchCRM: Stored XSS in UserEditor.php via Login Name Field - CVE-2026-40581
ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete
Same vendor: ChurchCRM
- CVE-2026-44548
ChurchCRM: CSRF via legacy GET-delete pages (FundRaiserDelet - CVE-2026-44547
ChurchCRM: Incomplete fix for CVE-2026-40582: public API log - CVE-2026-42289
ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admi - CVE-2026-40593
ChurchCRM: Stored XSS in UserEditor.php via Login Name Field - CVE-2026-40581
ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete
Same weakness: CWE-94
- CVE-2021-47964
Schlix CMS 2.2.6-6 Remote Code Execution via core.blockmanag - CVE-2026-44717
MCP Calculate Server: Prompt Injection to RCE - CVE-2026-41258
OpenMRS: Stored Velocity SSTI to RCE via ConceptReferenceRan - CVE-2026-35194
Apache Flink: Remote code execution via SQL injection in cod - CVE-2026-8539
Chrome<148.0.7778.168 XSS漏洞
V. Comments for CVE-2026-42288
No comments yet