CVE-2026-24854

Published: Jan 30, 2026Modified: Feb 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: security-advisories@github.com (Secondary)

Description

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue.

Affected (1)

Products: Churchcrm: Churchcrm

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Churchcrm Churchcrm	Before 6.7.2

Related CWEs

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (2)

http://github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38

Source: security-advisories@github.com

Patch

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.