Main Vulnerability Database Vulnerabilities #VU125681

#VU125681 Information disclosure in ChurchCRM - CVE-2025-68110

Published: April 9, 2026

Vulnerability identifier: #VU125681

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-68110

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ChurchCRM

Software vendor:
ChurchCRM

Description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in StatementWrapper.php when handling database errors. A remote user can trigger an uncaught database exception to disclose sensitive information.

Exposed error messages may include the database host, IP address, username, and password.

Remediation

Install security update from vendor's website.

External links

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-82mq-xc2j-3qv2

#VU125681 Information disclosure in ChurchCRM - CVE-2025-68110

Description

Remediation

External links

Please verify you're human