Home > Vulnerability Database > CVE-2025-67751

Mend.io Vulnerability Database

CVE-2025-67751

Good to know:

Date: December 15, 2025

ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the "EventEditor.php" file. When creating a new event and selecting an event type, the "EN_tyid" POST parameter is not sanitized. This allows an authenticated user with event management permissions ("isAddEvent") to execute arbitrary SQL queries. Version 6.5.0 fixes the issue.

Severity Score

7.2

Related Resources (4)

Url: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-wxcc-gvfv-56fg

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-67751

Url: https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd

Url: https://www.mend.io/vulnerability-database/CVE-2025-67751

Severity Score

7.2

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Top Fix

Upgrade Version

Upgrade to version https://github.com/ChurchCRM/CRM.git - 6.5.0

Learn More

CVSS v3.1

Base Score:	7.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-67751

Good to know:

Date: December 15, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?