ChurchCRM RCE: Unpatched Setup Wizard Leaves Systems Exposed
The National Vulnerability Database has issued an alert for CVE-2026-42288, a critical pre-authentication remote code execution (RCE) vulnerability in ChurchCRM. This flaw, present in versions prior to 7.3.2, stems from an incomplete fix for a previous vulnerability, CVE-2026-39337. Attackers can exploit unsanitized input in the DB_PASSWORD parameter within the setup wizard to achieve full system compromise.
Rated with a CVSS score of 10.0 (CRITICAL), this RCE allows unauthenticated attackers to execute arbitrary code with maximum impact on confidentiality, integrity, and availability. The vulnerability is categorized under CWE-94 (Improper Control of Generation of Code), indicating a direct code injection risk. Organizations utilizing ChurchCRM are at severe risk if they haven’t applied the patch.
This isn’t a theoretical threat; it’s a direct route to server takeover. Attackers are constantly scanning for exposed setup pages and known RCE vectors. Leaving this unpatched is akin to leaving your front door wide open with the keys on the table. The fix is in version 7.3.2, and there’s no excuse not to update immediately.
What This Means For You
- If your organization uses ChurchCRM, you must immediately verify your version. If it's prior to 7.3.2, patch to the latest version without delay. Audit your web server logs for any suspicious activity related to the setup wizard or database configuration files. Assume compromise if you were running an unpatched version and exposed to the internet.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42288 - ChurchCRM Setup Wizard RCE via DB_PASSWORD
title: CVE-2026-42288 - ChurchCRM Setup Wizard RCE via DB_PASSWORD
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-42288 by targeting the ChurchCRM setup wizard's install.php script with a POST request containing the DB_PASSWORD parameter, indicating a potential pre-authentication RCE attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42288/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/setup/install.php'
cs-method|exact:
- 'POST'
cs-uri-query|contains:
- 'DB_PASSWORD'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42288 | RCE | ChurchCRM versions prior to 7.3.2 |
| CVE-2026-42288 | RCE | ChurchCRM setup wizard |
| CVE-2026-42288 | RCE | unsanitized DB_PASSWORD in ChurchCRM |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 02:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108
CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.
MonsterInsights WordPress Plugin Exposes Google OAuth Tokens
CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...
ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion
CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...