CVE-2025-66313 – ChurchCRM vulnerable to a time-based blind SQL injection via the 1FieldSec parameter

CVE ID : CVE-2025-66313

Published : Dec. 1, 2025, 11:15 p.m. | 1 hour, 9 minutes ago

Description : ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL query without proper parameterization. The issue allows data exfiltration and modification via blind techniques.

Severity: 5.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2025-66448 – vLLM vulnerable to remote code execution via transformers_utils/get_config

CVE-2025-66415 – fastify-reply-from bypass of reply forwarding

CVE-2025-66400 – mdast-util-to-hast unsanitized class attribute

CVE-2025-66412 – Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes