CVE-2025-11939

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 5.18.0

Description A path traversal issue exists in ChurchCRM due to improper handling of the restoreFile argument within the Backup Restore Handler component, specifically in the file src/ChurchCRM/Backup/RestoreJob.php. This allows for remote exploitation through manipulation of this argument. The vulnerability has been publicly disclosed.

Recommendations Update ChurchCRM to version 5.18.0 or later.