CVE-2026-42288CRITICAL 10.0EPSS p42.9%

CVE-2026-42288CVE-2026-42288

Description

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.58% probability of exploitation · percentile 42.9% · 2026-06-18T12:00:27Z
Published2026-05-12
Last modified2026-05-18

Underlying weaknesses· 1

CWE-94

References

  1. https://github.com/ChurchCRM/CRM/security/advisories/GHSA-mp2w-4q3r-ppx7
  2. https://github.com/ChurchCRM/CRM/security/advisories/GHSA-mp2w-4q3r-ppx7

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-39337
CVE
CVE-2026-39339
CVE
CVE-2026-39318
CVE
CVE-2025-62521
CVE
CVE-2026-39334
CVE
CVE-2026-42289
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.