PatchSiren cyber security CVE debrief
CVE-2026-42288 ChurchCRM CVE debrief
ChurchCRM versions prior to 7.3.2 contain a pre-authentication remote code execution vulnerability in the setup wizard. The vulnerability stems from incomplete remediation of CVE-2026-39337, with the DB_PASSWORD parameter remaining unsanitized and exploitable for code injection. The CVSS 3.1 score of 10.0 reflects network attack vector, low complexity, no privileges required, no user interaction, and changed scope with high impacts to confidentiality, integrity, and availability. The vulnerability was published on May 12, 2026, with the description and metadata last modified on May 18, 2026. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.
- Vendor
- ChurchCRM
- Product
- CRM
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-18
Who should care
Organizations running ChurchCRM church management systems, particularly those with internet-facing installations or multi-site deployments where setup endpoints may remain accessible. Security teams responsible for PHP application security and open-source CRM platforms.
Technical summary
The ChurchCRM setup wizard accepts a DB_PASSWORD parameter without adequate sanitization, allowing injection of executable code. The vulnerability is reachable without authentication, making it exploitable by any network-accessible attacker. The incomplete nature of the prior fix (CVE-2026-39337) suggests the original remediation addressed a symptom or specific payload rather than the underlying input validation deficiency.
Defensive priority
CRITICAL
Recommended defensive actions
- Upgrade ChurchCRM to version 7.3.2 or later immediately
- If immediate patching is not possible, restrict network access to the setup wizard endpoints
- Review and monitor for unauthorized access attempts to /setup paths
- Verify that no unauthorized administrative accounts were created during potential exploitation windows
- Conduct forensic review of systems running versions prior to 7.3.2 for signs of compromise
Evidence notes
The vulnerability description explicitly states that the fix for CVE-2026-39337 is incomplete, indicating this is a bypass or insufficient patch scenario rather than a distinct vulnerability class. The CVSS vector confirms full network exploitability without authentication.
Official resources
-
CVE-2026-42288 CVE record
CVE.org
-
CVE-2026-42288 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
The vulnerability was disclosed through GitHub Security Advisories and indexed by NVD. The vendor has acknowledged the incomplete fix and released version 7.3.2 as the remediation.