How severe is CVE-2025-68109?

CVE-2025-68109 has a CVSS v3 score of 9.1 (CRITICAL).

CVE-2025-68109

Name: churchcrm
Author: churchcrm

9.1CRITICAL

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an

Veröffentlicht: 12/17/2025Aktualisiert: 12/18/2025

Beschreibung

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

KI-AnalyseKI-gestützt

Betroffene Produkte

churchcrmchurchcrm

Referenzen

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77
ExploitVendor Advisory