Info Published: Dec 16, 2025

CVE-2025-67874

0 CVSS Score Info

Export CVE-2025-67874 Data:

Link copied!

Description

ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue.

Weaknesses (CWE)

CWE-204

References & External Links

https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x

External Resources

NVD Official Record Exploit-DB Search Exploits CVE Details Statistics GitHub PoC / Tools X / Twitter Discussions Google Search More

CVE History Timeline

Dec 16, 2025 01:15 New CVE Received

← Back to CVE Tracker

Description

Weaknesses (CWE)

References & External Links

External Resources

Related Vulnerabilities

CVE History Timeline