GET

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

GET /api/vulnerabilities/93086?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93086?format=api",
    "vulnerability_id": "VCID-g9sh-kdy5-z7gd",
    "summary": "ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potential system takeover. The vulnerability enables attackers to extract sensitive member data, authentication credentials, and financial information from the church management system. Version 6.5.3 contains a patch for the issue.",
    "aliases": [
        {
            "alias": "CVE-2025-68112"
        }
    ],
    "fixed_packages": [],
    "affected_packages": [],
    "references": [
        {
            "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68112",
            "reference_id": "",
            "reference_type": "",
            "scores": [
                {
                    "value": "0.00043",
                    "scoring_system": "epss",
                    "scoring_elements": "0.13425",
                    "published_at": "2026-06-11T12:55:00Z"
                },
                {
                    "value": "0.00043",
                    "scoring_system": "epss",
                    "scoring_elements": "0.13543",
                    "published_at": "2026-06-12T12:55:00Z"
                },
                {
                    "value": "0.00043",
                    "scoring_system": "epss",
                    "scoring_elements": "0.13546",
                    "published_at": "2026-06-13T12:55:00Z"
                },
                {
                    "value": "0.00043",
                    "scoring_system": "epss",
                    "scoring_elements": "0.13519",
                    "published_at": "2026-06-14T12:55:00Z"
                }
            ],
            "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68112"
        },
        {
            "reference_url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq",
            "reference_id": "GHSA-hxf4-3vhp-wqcq",
            "reference_type": "",
            "scores": [
                {
                    "value": "9.6",
                    "scoring_system": "cvssv3.1",
                    "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"
                },
                {
                    "value": "Track*",
                    "scoring_system": "ssvc",
                    "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-18T14:54:59Z/"
                }
            ],
            "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq"
        }
    ],
    "weaknesses": [
        {
            "cwe_id": 89,
            "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
            "description": "The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component."
        }
    ],
    "exploits": [],
    "severity_range_score": "9.6 - 9.6",
    "exploitability": null,
    "weighted_severity": null,
    "risk_score": null,
    "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g9sh-kdy5-z7gd"
}