ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

No data.

No data.

No data.

No data.

References
Link Providers
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3q97-q4hv-gxwr cve-icon cve-icon
History

Wed, 17 Dec 2025 22:00:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue.
Title ChurchCRM vulnerable to Stored XSS - Group name > Person Listing
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-12-17T21:53:22.864Z

Reserved: 2025-12-16T14:17:32.388Z

Link: CVE-2025-68275

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2025-12-17T22:16:01.923

Modified: 2025-12-17T22:16:01.923

Link: CVE-2025-68275

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.