ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HChurchcrm
APPChurchcrm< 6.5.3
Related vulnerabilities
CVE-2026-39339CRITICAL9.1PL ✓ten sam produkt
ChurchCRM — krytyczny auth bypass w API middleware
CVE-2026-39342CRITICAL9.4PL ✓ten sam produkt
SQL Injection w ChurchCRM przez parametr searchwhat (QueryView.php)
CVE-2026-35573CRITICAL9.1PL ✓ten sam produkt
ChurchCRM: Path Traversal i RCE przez funkcję przywracania kopii zapasowej
CVE-2026-39337CRITICAL10.0PL ✓ten sam produkt
ChurchCRM: pre-auth RCE przez wstrzyknięcie kodu PHP w kreatorze instalacji
CVE-2025-68112CRITICAL9.6PL ✓ten sam produkt
SQL Injection w ChurchCRM — kompromitacja bazy danych