CRITICAL
ChurchCRM
CVE published 2026-05-12
CVE-2026-42288
ChurchCRM versions prior to 7.3.2 contain a pre-authentication remote code execution vulnerability in the setup wizard. The vulnerability stems from incomplete remediation of CVE-2026-39337, with the DB_PASSWORD parameter remaining unsanitized and exploitable for code injection. The CVSS 3.1 score of 10.0 reflects network attack vector, low complexity, no privileges required, no user interaction, and chan [truncated]