CVE 9.1 CRITICAL

ChurchCRM vulnerable to RCE with database restore functionality_CVE-2025-68109

December 17, 2025 invoker category_cve

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

AI Analysis

Remote code execution (RCE) vulnerability in ChurchCRM's Database Restore functionality due to lack of validation of uploaded files

Basic Information

ID CVE-2025-68109

Source GitHub_M

Published Dec 17, 2025 at 21:29

Affected Product

Vendor ChurchCRM

Product CRM

Version < 6.5.3

Affected Versions ChurchCRM CRM < 6.5.3

CWE Classification

CWE-78 CWE-434 CWE-494 CWE-552 CWE-915

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor ChurchCRM

Product ChurchCRM CRM

Version < 6.5.3

References

github.com /ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77

{
    "lastseen": "",
    "description": "ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.",
    "published": "2025-12-17T21:29:39.452Z",
    "modified": "2025-12-17T21:29:39.452Z",
    "type": "cve",
    "title": "ChurchCRM vulnerable to RCE with database restore functionality",
    "source": "GitHub_M",
    "references": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77",
    "id": "CVE-2025-68109",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78",
        "CWE-434",
        "CWE-494",
        "CWE-552",
        "CWE-915"
    ],
    "cvelist": null,
    "sourceData": "ChurchCRM CRM < 6.5.3",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "CRM",
    "version": "< 6.5.3",
    "vendor": "ChurchCRM",
    "ai_description": "Remote code execution (RCE) vulnerability in ChurchCRM's Database Restore functionality due to lack of validation of uploaded files",
    "ai_severity": "Critical",
    "ai_vendor": "ChurchCRM",
    "ai_product": "ChurchCRM CRM",
    "ai_version": "< 6.5.3",
    "ai_score": 9.1
}

💭 Join the Security Discussion ❌ Cancel Reply