Unrated severityOSV Advisory· Published Dec 17, 2025· Updated Dec 18, 2025
ChurchCRM vulnerable to RCE with database restore functionality
CVE-2025-68109
Description
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
1- github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77mitrex_refsource_CONFIRM
News mentions
1- Metasploit Wrap-Up 04/17/2026Rapid7 Blog · Apr 17, 2026