Blind SQL Injection Vulnerability in ChurchCRM by ChurchCRM
CVE-2025-66313

5.1MEDIUM

Key Information:

Vendor: Churchcrm
Status: Crm
Vendor: CVE Published:; 1 December 2025

What is CVE-2025-66313?

In ChurchCRM versions 6.2.0 and earlier, a time-based blind SQL injection vulnerability exists within the handling of the 1FieldSec parameter. This flaw allows attackers to exploit time delays using the SLEEP() function, confirming that input is directly used in SQL queries without adequate parameterization. As a result, attackers can execute queries that lead to unauthorized data access and manipulation using blind techniques, posing a serious risk to sensitive information.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

CRM <= 6.2.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/ChurchCRM/CRM/commit/719a6bc73245c40e3...

x_refsource_MISC

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 26, 2025

JSON

Churchcrm

What is CVE-2025-66313?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.