CVE-2025-11938 ChurchCRM setup.php deserialization

🗓️ 19 Oct 2025 07:32:05Reported by VulDBType

CVE-2025-11938: ChurchCRM 5.18.0 exposes deserialization in setup.php via DB_PASSWORD, ROOT_PATH, or URL.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2025-11938	19 Oct 202507:32	–	attackerkb
Circl	CVE-2025-11938	19 Oct 202508:55	–	circl
CNNVD	ChurchCRM 代码问题漏洞	19 Oct 202500:00	–	cnnvd
CNVD	ChurchCRM Deserialization Vulnerability	23 Oct 202500:00	–	cnvd
CVE	CVE-2025-11938	19 Oct 202507:32	–	cve
EUVD	EUVD-2025-35002	19 Oct 202509:30	–	euvd
NVD	CVE-2025-11938	19 Oct 202508:15	–	nvd
RedhatCVE	CVE-2025-11938	20 Oct 202519:29	–	redhatcve
Vulnrichment	CVE-2025-11938 ChurchCRM setup.php deserialization	19 Oct 202507:32	–	vulnrichment

[
  {
    "vendor": "n/a",
    "product": "ChurchCRM",
    "versions": [
      {
        "version": "5.0",
        "status": "affected"
      },
      {
        "version": "5.1",
        "status": "affected"
      },
      {
        "version": "5.2",
        "status": "affected"
      },
      {
        "version": "5.3",
        "status": "affected"
      },
      {
        "version": "5.4",
        "status": "affected"
      },
      {
        "version": "5.5",
        "status": "affected"
      },
      {
        "version": "5.6",
        "status": "affected"
      },
      {
        "version": "5.7",
        "status": "affected"
      },
      {
        "version": "5.8",
        "status": "affected"
      },
      {
        "version": "5.9",
        "status": "affected"
      },
      {
        "version": "5.10",
        "status": "affected"
      },
      {
        "version": "5.11",
        "status": "affected"
      },
      {
        "version": "5.12",
        "status": "affected"
      },
      {
        "version": "5.13",
        "status": "affected"
      },
      {
        "version": "5.14",
        "status": "affected"
      },
      {
        "version": "5.15",
        "status": "affected"
      },
      {
        "version": "5.16",
        "status": "affected"
      },
      {
        "version": "5.17",
        "status": "affected"
      },
      {
        "version": "5.18.0",
        "status": "affected"
      }
    ],
    "cpes": [
      "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*"
    ]
  }
]

Source	Link
vuldb	www.vuldb.com/
vuldb	www.vuldb.com/
github	www.github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md
vuldb	www.vuldb.com/

24 Feb 2026 07:01Current

CVSS 25.1

CVSS 3.15.6

CVSS 35.6

CVSS 46.3

EPSS0.00124