CVE
CVE-2025-68400
ChurchCRM vulnerable to time-based blind SQL Injection in ConfirmReportEmail.php
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint /Reports/ConfirmReportEmail.php in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a classic case of dead but reachable code. Any authenticated user - including one with zero assigned permissions - can exploit SQL injection through the familyId parameter. Version 6.5.3 fixes the issue.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
9.3
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68400.json, https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v54g-2pvg-gvp2, https://nvd.nist.gov/vuln/detail/CVE-2025-68400
Basic Information
Ecosystem
