CVE-2025-68109

HIGH EPSS 68.7%

Published Dec 17, 20256mo ago · Modified Jun 17, 20261w ago

7.2 CVSS 3.1

High

Published Dec 17, 2025 6mo ago

Last Modified Jun 17, 2026 1w ago

Description

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

CVSS Details

Base Score

7.2

Exploitability

1.2

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

68.7% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 5

CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt

CWE-494

CWE-552

CWE-78 OS Command Injection Injection

CWE-915

Affected Products 1

Vendor	Product	Version	Range
churchcrm	churchcrm	*	<6.5.3

References 1

github.com https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.