Unrated severityOSV Advisory· Published Jan 30, 2026· Updated Jan 30, 2026
Church CRM has SQL injection in PaddleNumEditor.php
CVE-2026-24854
Description
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint /PaddleNumEditor.php in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the PerID parameter. Version 6.7.2 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38mitrex_refsource_MISC
- github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2grmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.