CVE-2025-11938

A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: Oct 19, 2025
Updated: Nov 4, 2025
CVE: CVE-2025-11938
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.6
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v2:

Severity: Medium
Score: 5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P

CWEs:

CWE-20
CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
churchcrm / churchcrm	-	5.18.0.x

https://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md
https://vuldb.com/?ctiid.329014
https://vuldb.com/?id.329014
https://vuldb.com/?submit.671083

Vulnerability Database

CVE-2025-11938

Deep Security Visibility Without the Complexity