Unrated severityOSV Advisory· Published Dec 17, 2025· Updated Dec 18, 2025
ChurchCRM vulnerable to time-based blind SQL Injection in ConfirmReportEmail.php
CVE-2025-68400
Description
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint /Reports/ConfirmReportEmail.php in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a classic case of *dead but reachable code*. Any authenticated user - including one with zero assigned permissions - can exploit SQL injection through the familyId parameter. Version 6.5.3 fixes the issue.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/ChurchCRM/CRM/security/advisories/GHSA-v54g-2pvg-gvp2mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.