ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint /Reports/ConfirmReportEmail.php in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL.

This is a classic case of dead but reachable code. Any authenticated user - including one with zero assigned permissions - can exploit SQL injection through the familyId parameter. Version 6.5.3 fixes the issue.