CVE-2025-68109 CRITICAL

CVE-2025-68109: ChurchCRM vulnerable to RCE with database restore functionality

Vendor Churchcrm
Product CRM
Weakness CWE-78
Published December 17, 2025
Last update December 18, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

Key dates

02Disclosure timeline

December 17, 2025 CVE published
December 18, 2025 Record updated