CVE-2025-66313
ChurchCRM versions 6.2.0 and earlier are vulnerable to a time-based blind SQL injection in the 1FieldSec parameter. Injecting SLEEP() triggers deterministic server-side delays, showing the value is embedded in a SQL query without proper parameterization. In the affected versions, this can enable ...