1. Home
  2. CVE Database
  3. CVE-2025-68401
MEDIUM · 4.8

CVE-2025-68401

ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this co...

Vulnerability Description

ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts the script can access web origin data and perform privileged actions as the victim. Where session cookies are not marked HttpOnly, the script can read document.cookie, enabling session theft and account takeover. Version 6.0.0 patches the issue.

CVSS Score

4.8

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
ChurchcrmChurchcrm< 6.0.0

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2025-68401?

CVE-2025-68401 is a vulnerability with a CVSS score of 4.8 (MEDIUM). ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this co...

How severe is CVE-2025-68401?

CVE-2025-68401 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-68401?

Check the references section above for vendor advisories and patch information. Affected products include: Churchcrm Churchcrm.