VYPR
Unrated severityOSV Advisory· Published Dec 16, 2025· Updated Dec 16, 2025

ChurchCRM has SQL Injection in Event Editor via `EN_tyid` Parameter caused by an Incomplete Fix

CVE-2025-67751

Description

ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the EventEditor.php file. When creating a new event and selecting an event type, the EN_tyid POST parameter is not sanitized. This allows an authenticated user with event management permissions (isAddEvent) to execute arbitrary SQL queries. Version 6.5.0 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.