Unrated severityOSV Advisory· Published Dec 17, 2025· Updated Dec 18, 2025
ChurchCRM has Stored Cross-Site Scripting (XSS) vulnerability that leads to session theft and account takeover
CVE-2025-68401
Description
ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts the script can access web origin data and perform privileged actions as the victim. Where session cookies are not marked HttpOnly, the script can read document.cookie, enabling session theft and account takeover. Version 6.0.0 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
1- github.com/ChurchCRM/CRM/security/advisories/GHSA-phfw-p278-qq7vmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.