CVE-2025-68110
CRITICALChurchCRM < 6.5.3 - Sensitive Database Information Disclosure in Error Message
Title source: llmDescription
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-82mq-xc2j-3qv2
Scores
CVSS v3
9.9
EPSS
0.0036
EPSS Percentile
27.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-209
CWE-200
Status
published
Products (1)
churchcrm/churchcrm
< 6.5.3
Published
Dec 17, 2025
Tracked Since
Feb 18, 2026