#VU125718 Arbitrary file upload in ChurchCRM - CVE-2025-68109
Published: April 9, 2026 / Updated: April 15, 2026
Vulnerability identifier: #VU125718
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear
CVE-ID: CVE-2025-68109
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
ChurchCRM
ChurchCRM
Software vendor:
ChurchCRM
ChurchCRM
Description
The vulnerability allows a remote user to execute arbitrary code on the server.
The vulnerability exists due to unrestricted upload of file with dangerous type in the database restore functionality when uploading restore files. A remote privileged user can upload a web shell file and a crafted .htaccess file to execute arbitrary code on the server.
The uploaded web shell executes with the privileges of the web server user, and the impact extends beyond the application boundary.
Remediation
Install security update from vendor's website.