Unrated severityNVD Advisory· Published Dec 1, 2025· Updated Dec 2, 2025
ChurchCRM vulnerable to a time-based blind SQL injection via the 1FieldSec parameter
CVE-2025-66313
Description
ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL query without proper parameterization. The issue allows data exfiltration and modification via blind techniques.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- github.com/ChurchCRM/CRM/commit/719a6bc73245c40e3c30dae6229daaecd451e59fmitrex_refsource_MISC
- github.com/ChurchCRM/CRM/security/advisories/GHSA-47q3-c874-mqvpmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.