Home / Vulnerability Intelligence / CVE-2026-39337

CVE-2026-39337 - Vulnerability Analysis

CriticalCVSS: 10.0

Last Updated: April 8, 2026

ChurchCRM - Remote Code Execution

Published: April 7, 2026Updated: April 8, 2026Remote Exploitable

Overview

ChurchCRM < 7.1.0 contains a remote code execution caused by unsanitized "$dbPassword" variable in the setup wizard, letting unauthenticated attackers execute arbitrary PHP code during installation, exploit requires unauthenticated access to setup wizard.

Severity & Score

Severity: Critical

CVSS Score: 10.0

EPSS Score: 27.1%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can execute arbitrary PHP code, leading to complete server compromise.

Mitigation

Update to version 7.1.0 or later.

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pm2v-ggh4-mp7p

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 8, 2026

🔴 CVE-2026-39337 - Critical (10) ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial inst... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39337/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-39337
Severity: Critical
CVSS Score: 10.0
Type: remote_code_execution
Status: unconfirmed
EPSS: 27.1%
Social Posts: 1

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

27.1%Probability of exploitation in the next 30 days