Remote Code Execution Vulnerability in Church Management System by ChurchCRM
CVE-2025-62521

10CRITICAL

Key Information:

Vendor

Churchcrm

Status
Crm
Vendor
CVE Published:
17 December 2025

What is CVE-2025-62521?

ChurchCRM, an open-source church management system, has a vulnerability within its setup wizard that allows unauthenticated attackers to perform remote code execution. This security flaw, present in versions prior to 5.21.0, enables malicious individuals to inject arbitrary PHP code during the initial installation. The vulnerability arises from a lack of validation and sanitization of user input found in 'setup/routes/setup.php'. Attackers can manipulate any parameter in the setup form to execute custom PHP code, which is then written to 'Include/Config.php', compromising the server as this code is executed on every page load. This vulnerability is particularly dangerous as it poses a risk during the crucial installation phase where administrator authentication is not required. An update to version 5.21.0 addresses this significant security concern.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

CRM < 5.21.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...
x_refsource_CONFIRM

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.