CVE-2026-39337

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description ChurchCRM, an open-source church management system, has a critical pre-authentication remote code execution issue in its setup wizard. Unauthenticated attackers can inject arbitrary PHP code during the initial installation process, potentially leading to complete server compromise. The issue stems from an incomplete fix for a previous issue and is related to unsanitized input in the $dbPassword variable.

Recommendations Update to version 7.1.0.