Skip to main content

Crm CVE-2026-42288

CRITICAL
Code Injection (CWE-94)
2026-05-12 GitHub_M
10.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
May 12, 2026 - 22:25 nvd
CRITICAL 10.0

DescriptionGitHub Advisory

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.

Analysis

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.

More in Crm

View all
CVE-2017-5965 MEDIUM POC
6.7 May 23

The package manager in Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to execute arbitrary ASP c

CVE-2019-15950 MEDIUM POC
6.1 Sep 16

The CRM Plugin before 4.2.4 for Redmine allows XSS via crafted vCard data. Rated medium severity (CVSS 6.1), this vulner

CVE-2026-58409 CRITICAL
9.1 Jul 13

Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by i

CVE-2017-5966 MEDIUM POC
4.9 May 23

Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path trav

CVE-2026-39328 HIGH
8.9 Apr 07

ChurchCRM church management system versions before 7.1.0 allow authenticated users with EditSelf permission to exfiltrat

CVE-2026-35566 HIGH
8.8 Apr 07

SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with low privileges to execute arbitrary S

CVE-2026-35576 HIGH
8.7 Apr 07

Stored cross-site scripting in ChurchCRM versions prior to 7.0.0 allows authenticated users to inject malicious JavaScri

CVE-2026-39331 HIGH
8.1 Apr 07

Insecure Direct Object Reference (IDOR) in ChurchCRM API allows authenticated low-privilege users to manipulate arbitrar

CVE-2026-35575 HIGH
8.0 Apr 07

Stored Cross-Site Scripting in ChurchCRM admin panel enables session hijacking and administrative account takeover throu

CVE-2026-58410 HIGH
7.1 Jul 13

Insecure Direct Object Reference in ChurchCRM before 7.4.0 lets an authenticated non-admin user with EditSelf access rea

CVE-2026-35572 HIGH
7.0 Apr 07

Server-Side Request Forgery in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to trigger outbound

CVE-2026-58411 HIGH
7.0 Jul 13

Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized req

Share

CVE-2026-42288 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy