SQL Injection Vulnerability in ChurchCRM Open Source Management System
CVE-2025-68112

9.6CRITICAL

Key Information:

Vendor: Churchcrm
Status: Crm
Vendor: CVE Published:; 17 December 2025

What is CVE-2025-68112?

ChurchCRM, an open-source church management system, has a SQL injection vulnerability in its Event Attendee Editor for versions prior to 6.5.3. This flaw allows authenticated users to execute arbitrary SQL commands, which can lead to complete exposure of the database. Attackers may exploit this vulnerability to access sensitive information, including member data, authentication credentials, and financial records. The issue has been addressed in version 6.5.3, which includes a patch to mitigate the risk associated with this vulnerability.

Affected Version(s)

CRM < 6.5.3

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 17, 2025
Vulnerability Reserved
Dec 15, 2025

JSON

Churchcrm

What is CVE-2025-68112?

Affected Version(s)

References

CVSS V3.1

Timeline