Home / Vulnerability Intelligence / CVE-2026-42289

CVE-2026-42289 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: May 13, 2026

ChurchCRM - Cross Site Request Forgery

Published: May 12, 2026Updated: May 13, 2026Remote Exploitable

Overview

ChurchCRM < 7.3.2 contains a cross site request forgery caused by lack of CSRF token validation in UserEditor.php, letting unauthenticated attackers elevate privileges or create admin accounts via crafted HTML, exploit requires victim admin interaction.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Attackers can silently elevate user privileges or create admin accounts, leading to full administrative control.

Mitigation

Update to version 7.3.2 or later.

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3xq9-c86x-cwpp

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-42289
Severity: High
CVSS Score: 8.8
Type: cross_site_request_forgery
Status: rejected

CWE

CWE-269

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H