Information disclosure in Churchcrm Crm
CVE-2025-68110
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue.
Vulnerability class: Information Disclosure
EPSS: 0.001 (21.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.
Affected products
- Churchcrm Crm — versions < 6.5.3
Weakness classification (CWE)
References
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-82mq-xc2j-3qv2 (x_refsource_CONFIRM)
Frequently asked questions
- What is CVE-2025-68110?
- CVE-2025-68110 is a critical-severity vulnerability in Churchcrm Crm, classified under Information Disclosure. CVSS score: 10.0/10. Published 2025-12-17.
- How severe is CVE-2025-68110?
- Critical severity. CVSS v3 base score is 10.0 out of 10.