QwikSec

Security Database

CVE

CWE

Training

CVE-2025-66313

Published: Dec 1, 2025

Modified: Dec 2, 2025

PUBLISHED

Description

ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL query without proper parameterization. The issue allows data exfiltration and modification via blind techniques.

Vendor	Product	Versions
ChurchCRM	CRM	affected `<= 6.2.0`

Weaknesses (CWE)

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-47q3-c874-mqvp

x_refsource_CONFIRM

https://github.com/ChurchCRM/CRM/commit/719a6bc73245c40e3c30dae6229daaecd451e59f

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.