ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.
{
"cwe_ids": [
"CWE-434",
"CWE-494",
"CWE-552",
"CWE-78",
"CWE-915"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68109.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "6.5.3"
}
],
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
]
}