{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-39337/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":10,"id":"CVE-2026-39337"},{"cvss":10,"id":"CVE-2025-62521"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","cve-2026-39337","churchcrm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is vulnerable to a critical pre-authentication remote code execution (RCE) flaw, identified as CVE-2026-39337. This vulnerability affects versions prior to 7.1.0. Unauthenticated attackers can exploit the setup wizard during the initial installation process to inject arbitrary PHP code, leading to complete server compromise. The root cause lies in the insufficient sanitization of the \u0026ldquo;$dbPassword\u0026rdquo; variable. This vulnerability is a result of an incomplete fix for a previous vulnerability, CVE-2025-62521. Organizations using vulnerable versions of ChurchCRM are at risk of unauthorized access, data breaches, and complete system takeover. Upgrading to version 7.1.0 or later is strongly advised to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a malicious HTTP request to the ChurchCRM setup wizard.\u003c/li\u003e\n\u003cli\u003eThe malicious request injects arbitrary PHP code into the \u003ccode\u003e$dbPassword\u003c/code\u003e variable during the setup process.\u003c/li\u003e\n\u003cli\u003eDue to insufficient sanitization, the injected PHP code is written to the ChurchCRM configuration file.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the configuration file, executing the injected PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain full control of the server.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a persistent backdoor for continued access.\u003c/li\u003e\n\u003cli\u003eThe attacker may then exfiltrate sensitive data or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39337 allows an unauthenticated attacker to achieve complete server compromise. This could result in the theft of sensitive church member data, modification or destruction of data, defacement of the ChurchCRM website, or use of the server as a platform for launching further attacks. Given the critical nature of the vulnerability and the ease of exploitation, organizations are at high risk. The number of potential victims is high considering the wide usage of this CRM.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade ChurchCRM to version 7.1.0 or later to patch CVE-2026-39337.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the ChurchCRM setup wizard. Deploy a Sigma rule to detect suspicious POST requests to the install endpoint.\u003c/li\u003e\n\u003cli\u003eImplement strong input validation and sanitization for all user-supplied data, especially during the installation process.\u003c/li\u003e\n\u003cli\u003eReview and harden the web server configuration to prevent unauthorized code execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T18:16:45Z","date_published":"2026-04-07T18:16:45Z","id":"/briefs/2026-04-churchcrm-rce/","summary":"A critical pre-authentication remote code execution vulnerability in ChurchCRM versions prior to 7.1.0 allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise.","title":"ChurchCRM Pre-Authentication Remote Code Execution Vulnerability (CVE-2026-39337)","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-39337","version":"https://jsonfeed.org/version/1.1"}