## https://sploitus.com/exploit?id=8041A5D3-DA96-5487-8F42-141823F27E6C
# CVE-2025-68400: ChurchCRM vulnerable to time-based blind SQL Injection in ConfirmReportEmail.php
## Overview
| Field | Details |
|---|---|
| **CVE ID** | CVE-2025-68400 |
| **Vulnerability Type** | SQL Injection |
| **Severity** | CRITICAL |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
## Description
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a c
## Affected Products
- **ChurchCRM/CRM**
## References
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v54g-2pvg-gvp2
## Disclaimer
This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.