CVE-2025-68400

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3

Description ChurchCRM is an open-source church management system with a SQL Injection issue present in a legacy endpoint. The vulnerability exists in the /Reports/ConfirmReportEmail.php endpoint and is exploitable through the familyId parameter. Any authenticated user, even with limited permissions, can trigger the SQL injection. The vulnerable code, though removed from the user interface, remains accessible directly via URL, representing a case of 'dead but reachable code'.

Recommendations Update to version 6.5.3 or later.