The beginning of 2026 threw two CVE, which are worth dismantling on the stand. CVE-2026-39337 - pre-auth RCE PHP injection in ChurchCRM, CVSS 10.0 from 10.0. Without a login, without a password, without any user interaction - just send an HTTP request and get a shell. CVE-2026-27681 - SQL injection in SAP BPC and SAP BW, CVSS 9.9. Formally, you need to be taken, but in the SAP environment it is not a barrier (more on this below). In this lab-yde, I will analyze every vulnerability from the first HTTP request to receiving a shelf – with specific commands that you can play on an isolated stand.
Why These CVE Deserve a Separate Stand
CMS and ERP systems - bread with corporate pentest oil. ChurchCRM stands on the servers of thousands of organizations, and SAP BPC/BW manages financial planning in large companies. Both vulnerabilities exploit errors, which according to the ABP2B study occur in 91% of the tested systems: lack of custom input sanitation and SQL query processing curve. It would seem that 2026 is in the yard - and the cart is still there.
Here’s what makes this couple especially interesting for laboratory analysis:
CVE-2026-39337 - completely pre-authentication. No login, no password, no user interaction. CVE-2026-27681 formally requires authorization (PR:L), but in SAP-mesh accounting systems with minimal privileges are distributed to a wide range of employees - the entry barrier actually tends to zero. Both vulnerabilities have the Scope Changed (S:C) flag – compromise goes beyond the boundaries of a vulnerable component and affects related systems.
According to the MITRE ATT&CK classification, both belong to the technology of Exploit Public-Facting Application (T1190, Initial Access) - the attacker gets the initial access through a publicly available web application.
CVE-2026-39337: PHP code injection in ChurchCRM without authentication
Technical anatomy CWE-94
According to the NVD, the vulnerability sits in the workshop of the original installation of the ChurchCRM. Variable $dbPassword does not salitize before the registration in the configuration file. Classic CWE-94 (Improper Control of Generation of Code): user input enters the generated PHP code and is executed when the configuration is connected.
What happens in traffic: setup wizard accepts connection settings to the database via an HTTP request - host, base name, login, password. All this is recorded in the PHP configuration file. The problem is that the password value is substituted in the PHP string without shielding. If the attacker shovels in the password field a design that closes the string and adds an arbitrary PHP code, this code will be executed on the next config connection.
The developers have already tried to close this vector, but the patch turned out to be leaky - some of the special symbols were sanitized, but not all. Classic genre.
Why it works at the pre-auth level: setup wizard in most PHP CMS is available without authentication by design - at the time of the initial setting of the accounts does not yet exist. If the installation is not completed, or if you can initiate a re-installation, any network attacker gets access to this endpoint.
Deploying a Vulnerable Version in Docker
For playback, you need a version of ChurchCRM below 7.1.0. Raise the Isolated stand:
If the stand displays the installation wizard - you can break. If setup wizard is not displayed (HTTP 404 or redirect on the login), the image most likely contains an already passed installation. Delete the configuration file (docker exec churchcrm-lab rm /var/www/html/Include/Config.php) and reboot the container.
CVE-2026-27681: SQL injection in SAP BPC and SAP BW
CVSS vector analysis and real impact
CVE-2026-27681 is part of the SAP Business Planning and Consolidation and SAP Business Warehouse, through which large corporations conduct financial planning and analytics. According to the NVD, Vulnerability CWE-89 (SQL Injection) allows the authenticated user to perform arbitrary SQL requests for reading, modifying and deleting data in the database.
CVSS-vector by component:
• AV:N - attack through the network, physical access is not needed
• AC:L - low complexity, no special conditions
• PR:L - need accounting with minimal privileges
• UI:N - User interaction is not required
• S:C - Scope Changed, compromising is beyond the boundaries of a vulnerable component
• C:H/I/A:H:H - full impact on privacy, integrity and accessibility
Scope Changed at CVSS 9.9 is not just a single table reading. The attacker can go beyond the context of the application and get to the entire database, including data from other SAP modules.
For the penesster, there is a gold mine. SAP systems store financial data, staff, strategic plans. A SQL injection with full access to the database is Exploitation for Credential Access (T1212), if the attacker pulls out the hashes of passwords, and at the same time Data from the Local System (T1005) to collect business critical information.
Features of SQL injection in corporate software
Although CVE-2026-27681 formally requires authorization, in practice it is not a serious barrier. According to ABP2B pentests, SAP systems often suffer from weak passwords and default. Getting an authorized session through the grooth of popular passwords is one of the most frequent scenarios. My experience on SAP projects first of all I try standard passwords for SAP*, DDIC, EARLYWATCH – and surprisingly often they work.
For comparison: CVE-2026-27179 in the MajorDoMo system (described by SentinelOne) - a similar type of SQL injection without authentication (CWE-89, CVSS 4.0: 8.8 - a high impact on confidentiality, but low for integrity and lack of availability (VC:H/VI/V:N); CVSS 4.0 uses a different method. $_GET['parent'] directly interpolated into SQL queries. The operation technique - time-based blind SQLi - is applicable to SAP scenarios, although specific endpoints, syntax and impact level will differ.
SQL injection testing methodology in SAP systems (on the example CVE-2026-27681)
SAP does not disclose details of vulnerable endpoints in public advisory – they are only available to customers through SAP Support Portal. Below is the general SQLi testing methodology in SAP systems, which is applied after identifying the vulnerable SAP Security Note for CVE-2026-27681. Let’s say we already have a valid session in SAP BPC (obtained through a brute force of passwords, phishing or leaked account data).
The first stage is to intercept the legitimate request to the supposedly vulnerable endpoint via Burp Suite and save it to the file:
The second step is to run sqlmap with a request file. SAP uses different DBMS (HANA, MS SQL, Oracle), so sqlmap takes time on fingerprinting:
The third stage - after confirmation of the injection, we pull out the structure of the database and the target data:
As noted in the Hive Security manual on SQL injections, sqlmap contains more than 50 tameter scripts to bypass the WAF: register randomization, character encoding, comment insertion, keyword breakup. When testing SAP-sand systems that often stand behind the corporate WAF, a combination --tamper Scripts are what separates “didn’t find” from “found”.
Mapping kill chain on MITRE ATT&CK
A complete attack chain when combining both types of vulnerabilities in the corporate environment:
The bundle of two CVE in a real campaign looks like this: the attacker finds a publicly available ChurchCRM (or other CMS) on the perimeter of the organization, operates CVE-2026-39337 to obtain a shell, then through the internal network it gets to the SAP server and applies CVE-2026-27681 to access financial data. Scope Changed (S:C) in both CVE directly says the impact goes far beyond the originally compromised service.
Attack detection: Sigma-rules and log analysis
Detection CVE-2026-39337 in web logs
PHP code injection in setup wizard leaves characteristic traces in access logs. What to look at:
• Appeals to /setup/endpoints from production servers (setup wizard should not be available after installation - if it sticks out, it's already a problem)
• POST-quilanes to setup wizard with atypically long parameter values
• PHP designs (system(, eval(, exec(, passthru() in the request parameters
SQL injection detection in SAP systems
For CVE-2026-27681 and similar SQLi vulnerabilities of corporate software, monitoring at several levels is needed. As SentinelOne describes for a similar CVE-2026-27179 in MajorDoMo, key compromise indicators:
• SQL structures in URL parameters: UNION, SELECT, SLEEP(), WAITFOR
• Anomalous time of the database response (character for time-based blind SQLi)
• Multiple similar requests with varying values SLEEP()- typical automated operation pattern via sqlmap
At the database level, set up the audit: logging all requests with abnormal lead times (more than 5 seconds with a normal indicator of less than 100 ms), as well as requests for requests for system tables or functions ((INFORMATION_SCHEMA, pg_sleep, BENCHMARK)
Recommendations for the protection of corporate systems
Protection from CWE-94: PHP code injection
For ChurchCRM and similar PHP applications with installation wizards:
1. Delete or block setup wizard after the installation is completed. At the web server level:
1. Update the ChurchCRM to version 7.1.0 or higher where the vulnerability is fixed.
2. Use WAF rules to block PHP structures in query parameters. As F5 researchers note, signatures for blocking pre-auth RCE should intercept not only specific CVE, but also entire classes of attacks.
Protection from CWE-89: SQL Injection in SAP
1. Install April security updates to SAP 2026, including the CVE-2026-27681 fix. According to Comss.ru, SAP has released patches for a critical SQL injection in SAP BPC and SAP BW.
2. Parametrized requests are the only reliable SQLi fix at the code level. As the laboratory work of DevSecopes Guides demonstrates, replacing string closures with parameterized queries completely eliminates the attack vector, regardless of the complexity of payload. Fix has been known since the late 1990's. Which does not prevent him from staying relevant in 2026.
3. Minimum BD Accounting Privileges: The SAP BPC application should not be connected to the DROP or ALTER rights-based database.
4. Network segmentation: SAP servers are in the internal segment with limited access rather than on the network perimeter.
Context: pre-auth RCE as a system problem of 2026
CVE-2026-39337 and CVE-2026-27681 are not isolated cases. In 2026, there was a wave of critical vulnerabilities in corporate systems with a similar pattern:
• CVE-2025-61757 - pre-auth RCE in Oracle Identity Manager (CVSS 9.8, CWE-306), affecting the REST WebServices component. According to F5 Security, the operation presumably involves bypassing authentication through matrix parameters ( ;.wadlin URL) followed by the compilation of the Groovy code through the annotation @ASTTest
• CVE-2026-35616 - pre-auth RCE in FortiClicent EMS 7.4.5–7.4.6 (CVSS 9.8, CWE-284), already used in real attacks
• CVE-2025-59287 - unauthentiated RCE in WSUS via unsafe rendering (CVSS 9.8, CWE-502)
General pattern: corporate software with a wide surface of the attack, publicly available endpoints without authentication and basic input processing errors. For the penester, this means that the skills of operating PHP injections and SQL injections remain basic and in demand - although the first descriptions of these classes of vulnerabilities appeared more than twenty years ago.
As the Hive Security researchers correctly note, the fix for SQL injection has been known since the late 1990’s – the separation of code and data through parameterized queries. But legacy code, ORM with .raw() escape-hatches, microservices without a clear owner and deadlines for developers ensure that these vulnerabilities will appear in the pentest reports for many years to come. The fence says "parametrize the queries" - and in the production is still the skating of lines.
Checklist: what to check when testing corporate systems
Based on the analysis of CVE-2026-39337 and CVE-2026-27681 - a practical checklist for the pentest of corporate web applications:
1. Setup / Install endpoints - check availability of installed craftsmen on production servers. This is the first thing I look for when scanning a CMS – and you’ll be surprised how often they stick out.
2. Configuration files - check if user data is written in PHP/Python/Ruby configuration without shielding.
3. SQL injections in the API - test all parameters, including JSON query, Cookie headers and non-standard HTTP headers.
4. SAP default account details - before testing SQLi in SAP-systems, check the standard passwords for SAP*, DDIC, EARLYWATCH and other technical accounts.
5. WAF bypass - if there is WAF, use sqlmap with --tamperscripts and manual modification of payload.
Expand the stand from this guide, walk both vectors with your hands - from the first curl to the shell. By training on examples, you will find out these patterns in the production in seconds.
Why These CVE Deserve a Separate Stand
CMS and ERP systems - bread with corporate pentest oil. ChurchCRM stands on the servers of thousands of organizations, and SAP BPC/BW manages financial planning in large companies. Both vulnerabilities exploit errors, which according to the ABP2B study occur in 91% of the tested systems: lack of custom input sanitation and SQL query processing curve. It would seem that 2026 is in the yard - and the cart is still there.
Here’s what makes this couple especially interesting for laboratory analysis:
CVE-2026-39337 - completely pre-authentication. No login, no password, no user interaction. CVE-2026-27681 formally requires authorization (PR:L), but in SAP-mesh accounting systems with minimal privileges are distributed to a wide range of employees - the entry barrier actually tends to zero. Both vulnerabilities have the Scope Changed (S:C) flag – compromise goes beyond the boundaries of a vulnerable component and affects related systems.
According to the MITRE ATT&CK classification, both belong to the technology of Exploit Public-Facting Application (T1190, Initial Access) - the attacker gets the initial access through a publicly available web application.
CVE-2026-39337: PHP code injection in ChurchCRM without authentication
Technical anatomy CWE-94
According to the NVD, the vulnerability sits in the workshop of the original installation of the ChurchCRM. Variable $dbPassword does not salitize before the registration in the configuration file. Classic CWE-94 (Improper Control of Generation of Code): user input enters the generated PHP code and is executed when the configuration is connected.
What happens in traffic: setup wizard accepts connection settings to the database via an HTTP request - host, base name, login, password. All this is recorded in the PHP configuration file. The problem is that the password value is substituted in the PHP string without shielding. If the attacker shovels in the password field a design that closes the string and adds an arbitrary PHP code, this code will be executed on the next config connection.
The developers have already tried to close this vector, but the patch turned out to be leaky - some of the special symbols were sanitized, but not all. Classic genre.
Why it works at the pre-auth level: setup wizard in most PHP CMS is available without authentication by design - at the time of the initial setting of the accounts does not yet exist. If the installation is not completed, or if you can initiate a re-installation, any network attacker gets access to this endpoint.
Deploying a Vulnerable Version in Docker
For playback, you need a version of ChurchCRM below 7.1.0. Raise the Isolated stand:
If the stand displays the installation wizard - you can break. If setup wizard is not displayed (HTTP 404 or redirect on the login), the image most likely contains an already passed installation. Delete the configuration file (docker exec churchcrm-lab rm /var/www/html/Include/Config.php) and reboot the container.
CVE-2026-27681: SQL injection in SAP BPC and SAP BW
CVSS vector analysis and real impact
CVE-2026-27681 is part of the SAP Business Planning and Consolidation and SAP Business Warehouse, through which large corporations conduct financial planning and analytics. According to the NVD, Vulnerability CWE-89 (SQL Injection) allows the authenticated user to perform arbitrary SQL requests for reading, modifying and deleting data in the database.
CVSS-vector by component:
• AV:N - attack through the network, physical access is not needed
• AC:L - low complexity, no special conditions
• PR:L - need accounting with minimal privileges
• UI:N - User interaction is not required
• S:C - Scope Changed, compromising is beyond the boundaries of a vulnerable component
• C:H/I/A:H:H - full impact on privacy, integrity and accessibility
Scope Changed at CVSS 9.9 is not just a single table reading. The attacker can go beyond the context of the application and get to the entire database, including data from other SAP modules.
For the penesster, there is a gold mine. SAP systems store financial data, staff, strategic plans. A SQL injection with full access to the database is Exploitation for Credential Access (T1212), if the attacker pulls out the hashes of passwords, and at the same time Data from the Local System (T1005) to collect business critical information.
Features of SQL injection in corporate software
Although CVE-2026-27681 formally requires authorization, in practice it is not a serious barrier. According to ABP2B pentests, SAP systems often suffer from weak passwords and default. Getting an authorized session through the grooth of popular passwords is one of the most frequent scenarios. My experience on SAP projects first of all I try standard passwords for SAP*, DDIC, EARLYWATCH – and surprisingly often they work.
For comparison: CVE-2026-27179 in the MajorDoMo system (described by SentinelOne) - a similar type of SQL injection without authentication (CWE-89, CVSS 4.0: 8.8 - a high impact on confidentiality, but low for integrity and lack of availability (VC:H/VI/V:N); CVSS 4.0 uses a different method. $_GET['parent'] directly interpolated into SQL queries. The operation technique - time-based blind SQLi - is applicable to SAP scenarios, although specific endpoints, syntax and impact level will differ.
SQL injection testing methodology in SAP systems (on the example CVE-2026-27681)
SAP does not disclose details of vulnerable endpoints in public advisory – they are only available to customers through SAP Support Portal. Below is the general SQLi testing methodology in SAP systems, which is applied after identifying the vulnerable SAP Security Note for CVE-2026-27681. Let’s say we already have a valid session in SAP BPC (obtained through a brute force of passwords, phishing or leaked account data).
The first stage is to intercept the legitimate request to the supposedly vulnerable endpoint via Burp Suite and save it to the file:
The second step is to run sqlmap with a request file. SAP uses different DBMS (HANA, MS SQL, Oracle), so sqlmap takes time on fingerprinting:
The third stage - after confirmation of the injection, we pull out the structure of the database and the target data:
As noted in the Hive Security manual on SQL injections, sqlmap contains more than 50 tameter scripts to bypass the WAF: register randomization, character encoding, comment insertion, keyword breakup. When testing SAP-sand systems that often stand behind the corporate WAF, a combination --tamper Scripts are what separates “didn’t find” from “found”.
Mapping kill chain on MITRE ATT&CK
A complete attack chain when combining both types of vulnerabilities in the corporate environment:
The bundle of two CVE in a real campaign looks like this: the attacker finds a publicly available ChurchCRM (or other CMS) on the perimeter of the organization, operates CVE-2026-39337 to obtain a shell, then through the internal network it gets to the SAP server and applies CVE-2026-27681 to access financial data. Scope Changed (S:C) in both CVE directly says the impact goes far beyond the originally compromised service.
Attack detection: Sigma-rules and log analysis
Detection CVE-2026-39337 in web logs
PHP code injection in setup wizard leaves characteristic traces in access logs. What to look at:
• Appeals to /setup/endpoints from production servers (setup wizard should not be available after installation - if it sticks out, it's already a problem)
• POST-quilanes to setup wizard with atypically long parameter values
• PHP designs (system(, eval(, exec(, passthru() in the request parameters
SQL injection detection in SAP systems
For CVE-2026-27681 and similar SQLi vulnerabilities of corporate software, monitoring at several levels is needed. As SentinelOne describes for a similar CVE-2026-27179 in MajorDoMo, key compromise indicators:
• SQL structures in URL parameters: UNION, SELECT, SLEEP(), WAITFOR
• Anomalous time of the database response (character for time-based blind SQLi)
• Multiple similar requests with varying values SLEEP()- typical automated operation pattern via sqlmap
At the database level, set up the audit: logging all requests with abnormal lead times (more than 5 seconds with a normal indicator of less than 100 ms), as well as requests for requests for system tables or functions ((INFORMATION_SCHEMA, pg_sleep, BENCHMARK)
Recommendations for the protection of corporate systems
Protection from CWE-94: PHP code injection
For ChurchCRM and similar PHP applications with installation wizards:
1. Delete or block setup wizard after the installation is completed. At the web server level:
1. Update the ChurchCRM to version 7.1.0 or higher where the vulnerability is fixed.
2. Use WAF rules to block PHP structures in query parameters. As F5 researchers note, signatures for blocking pre-auth RCE should intercept not only specific CVE, but also entire classes of attacks.
Protection from CWE-89: SQL Injection in SAP
1. Install April security updates to SAP 2026, including the CVE-2026-27681 fix. According to Comss.ru, SAP has released patches for a critical SQL injection in SAP BPC and SAP BW.
2. Parametrized requests are the only reliable SQLi fix at the code level. As the laboratory work of DevSecopes Guides demonstrates, replacing string closures with parameterized queries completely eliminates the attack vector, regardless of the complexity of payload. Fix has been known since the late 1990's. Which does not prevent him from staying relevant in 2026.
3. Minimum BD Accounting Privileges: The SAP BPC application should not be connected to the DROP or ALTER rights-based database.
4. Network segmentation: SAP servers are in the internal segment with limited access rather than on the network perimeter.
Context: pre-auth RCE as a system problem of 2026
CVE-2026-39337 and CVE-2026-27681 are not isolated cases. In 2026, there was a wave of critical vulnerabilities in corporate systems with a similar pattern:
• CVE-2025-61757 - pre-auth RCE in Oracle Identity Manager (CVSS 9.8, CWE-306), affecting the REST WebServices component. According to F5 Security, the operation presumably involves bypassing authentication through matrix parameters ( ;.wadlin URL) followed by the compilation of the Groovy code through the annotation @ASTTest
• CVE-2026-35616 - pre-auth RCE in FortiClicent EMS 7.4.5–7.4.6 (CVSS 9.8, CWE-284), already used in real attacks
• CVE-2025-59287 - unauthentiated RCE in WSUS via unsafe rendering (CVSS 9.8, CWE-502)
General pattern: corporate software with a wide surface of the attack, publicly available endpoints without authentication and basic input processing errors. For the penester, this means that the skills of operating PHP injections and SQL injections remain basic and in demand - although the first descriptions of these classes of vulnerabilities appeared more than twenty years ago.
As the Hive Security researchers correctly note, the fix for SQL injection has been known since the late 1990’s – the separation of code and data through parameterized queries. But legacy code, ORM with .raw() escape-hatches, microservices without a clear owner and deadlines for developers ensure that these vulnerabilities will appear in the pentest reports for many years to come. The fence says "parametrize the queries" - and in the production is still the skating of lines.
Checklist: what to check when testing corporate systems
Based on the analysis of CVE-2026-39337 and CVE-2026-27681 - a practical checklist for the pentest of corporate web applications:
1. Setup / Install endpoints - check availability of installed craftsmen on production servers. This is the first thing I look for when scanning a CMS – and you’ll be surprised how often they stick out.
2. Configuration files - check if user data is written in PHP/Python/Ruby configuration without shielding.
3. SQL injections in the API - test all parameters, including JSON query, Cookie headers and non-standard HTTP headers.
4. SAP default account details - before testing SQLi in SAP-systems, check the standard passwords for SAP*, DDIC, EARLYWATCH and other technical accounts.
5. WAF bypass - if there is WAF, use sqlmap with --tamperscripts and manual modification of payload.
Expand the stand from this guide, walk both vectors with your hands - from the first curl to the shell. By training on examples, you will find out these patterns in the production in seconds.
