Unrated severityOSV Advisory· Published Dec 17, 2025· Updated Dec 18, 2025
ChurchCRM vulnerable to time-based blind SQL Injection in ConfirmReportEmail.php
CVE-2025-68400
Description
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint /Reports/ConfirmReportEmail.php in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a classic case of *dead but reachable code*. Any authenticated user - including one with zero assigned permissions - can exploit SQL injection through the familyId parameter. Version 6.5.3 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
1- github.com/ChurchCRM/CRM/security/advisories/GHSA-v54g-2pvg-gvp2mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.