Main Vulnerability Database Vulnerabilities #VU129690

Code Injection in ChurchCRM - CVE-2026-39337

Published: May 5, 2026

Vulnerability identifier: #VU129690

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-39337

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ChurchCRM

Affected software:
ChurchCRM

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in the install wizard configuration handling when processing setup data during the initial installation process. A remote attacker can inject arbitrary PHP code through the DB_PASSWORD parameter to execute arbitrary code.

Exploitation is possible before authentication during the initial setup workflow and can lead to complete server compromise.

How to mitigate CVE-2026-39337

Install security update from vendor's website.

Sources

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pm2v-ggh4-mp7p

Code Injection in ChurchCRM - CVE-2026-39337

Detailed vulnerability description

How to mitigate CVE-2026-39337

Sources

Please verify you're human