A flaw in ChurchCRM’s backup restore feature allows an authenticated administrator to upload files with arbitrary names. The uploaded file is written to the temporary directory /var/www/html/tmp_attach/ChurchCRMBackups/. By choosing a malicious filename such as a crafted .htaccess file, the attacker can alter Apache configuration and execute arbitrary code, completely compromising the host. The weakness is a classic path traversal (CWE‑22) combined with unsafe file upload (CWE‑434).

ChurchCRM installations running any version prior to 6.5.3 are affected. The vulnerability resides in src/ChurchCRM/Backup/RestoreJob.php and is present regardless of whether the system is running on Linux, Windows, or other operating systems, although the specific server environment is not detailed in the advisory.

The CVSS score of 9.1 indicates a severe threat. The EPSS score is below 1%, suggesting that, so far, exploitation attempts have been rare, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authenticated administrator access; an attacker who obtains or compromises such credentials can upload the malicious file and trigger execution through the altered .htaccess. The impact includes loss of confidentiality, integrity, and availability, potentially leading to full system takeover. Operating‑system‑specific details are not provided, so any potential mitigations based on OS cannot be evaluated from the available data.