Main Vulnerability Database Vulnerabilities #VU125714

Observable Response Discrepancy in ChurchCRM - CVE-2025-67874

Published: April 9, 2026

Vulnerability identifier: #VU125714

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-67874

CWE-ID: CWE-204

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ChurchCRM

Affected software:
ChurchCRM

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to observable response discrepancy in HTTP responses when processing user-supplied passwords. A remote privileged user can submit a password and receive it back in plaintext in the response to disclose sensitive information.

This can occur in workflows such as registration, password change or reset, and login error handling.

How to mitigate CVE-2025-67874

Install security update from vendor's website.

Sources

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x

Observable Response Discrepancy in ChurchCRM - CVE-2025-67874

Detailed vulnerability description

How to mitigate CVE-2025-67874

Sources

Please verify you're human