Main Vulnerability Database Vulnerabilities #VU125687

#VU125687 Code Injection in ChurchCRM - CVE-2025-62521

Published: April 9, 2026

Vulnerability identifier: #VU125687

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2025-62521

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vulnerable software:
ChurchCRM

Software vendor:
ChurchCRM

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in setup/routes/setup.php when processing setup form input during the initial installation process. A remote attacker can submit specially crafted setup parameters to execute arbitrary code.

The issue affects fresh installations exposed through the unauthenticated setup wizard, and injected PHP code is written to Include/Config.php where it executes on subsequent page loads.

Remediation

Install security update from vendor's website.

External links

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-m8jq-j3p9-2xf3

#VU125687 Code Injection in ChurchCRM - CVE-2025-62521

Description

Remediation

External links

Please verify you're human