Main Vulnerability Database Vulnerabilities #VU125679

#VU125679 SQL injection in ChurchCRM - CVE-2025-68400

Published: April 9, 2026

Vulnerability identifier: #VU125679

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-68400

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ChurchCRM

Software vendor:
ChurchCRM

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in ConfirmReportEmail.php when handling the familyId parameter in requests to the legacy /Reports/ConfirmReportEmail.php endpoint. A remote attacker can send a specially crafted request to execute arbitrary SQL commands.

The endpoint remains directly reachable by URL even though it was removed from the user interface.

Remediation

Install security update from vendor's website.

External links

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v54g-2pvg-gvp2

#VU125679 SQL injection in ChurchCRM - CVE-2025-68400

Description

Remediation

External links

Please verify you're human