Unrated severityOSV Advisory· Published Jan 30, 2026· Updated Jan 30, 2026
Church CRM has SQL injection in PaddleNumEditor.php
CVE-2026-24854
Description
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint /PaddleNumEditor.php in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the PerID parameter. Version 6.7.2 contains a patch for the issue.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38mitrex_refsource_MISC
- github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2grmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.