CVE-2025-66313

Name of the Vulnerable Software and Affected Versions ChurchCRM versions 6.2.0 and earlier

Description ChurchCRM is an open-source church management system. A time-based blind SQL injection exists in how the 1FieldSec parameter is handled. Injecting SLEEP() results in predictable server-side delays, confirming the value is included in a SQL query without proper parameterization. This allows for data exfiltration and modification using blind techniques.

Recommendations Update to a version later than 6.2.0.