CRITICAL🇵🇱 Wersja polska

CVE-2025-68109

CVSS 9.1v3.1pub. 2025-12-17upd. 2025-12-18

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Churchcrm

    APP
    Churchcrm
    < 6.5.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCECommand Injection
CWE
References

Related vulnerabilities

CVE-2026-39339CRITICAL9.1PL ✓ten sam produkt

ChurchCRM — krytyczny auth bypass w API middleware

CVE-2026-39342CRITICAL9.4PL ✓ten sam produkt

SQL Injection w ChurchCRM przez parametr searchwhat (QueryView.php)

CVE-2026-35573CRITICAL9.1PL ✓ten sam produkt

ChurchCRM: Path Traversal i RCE przez funkcję przywracania kopii zapasowej

CVE-2026-39337CRITICAL10.0PL ✓ten sam produkt

ChurchCRM: pre-auth RCE przez wstrzyknięcie kodu PHP w kreatorze instalacji

CVE-2025-68112CRITICAL9.6PL ✓ten sam produkt

SQL Injection w ChurchCRM — kompromitacja bazy danych