Unrated severityOSV Advisory· Published Dec 16, 2025· Updated Dec 16, 2025
ChurchCRM has SQL Injection in Event Editor via `EN_tyid` Parameter caused by an Incomplete Fix
CVE-2025-67751
Description
ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the EventEditor.php file. When creating a new event and selecting an event type, the EN_tyid POST parameter is not sanitized. This allows an authenticated user with event management permissions (isAddEvent) to execute arbitrary SQL queries. Version 6.5.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fdmitrex_refsource_MISC
- github.com/ChurchCRM/CRM/security/advisories/GHSA-wxcc-gvfv-56fgmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.