CVE-2026-24854
Unknown Unknown - Not Provided
SQL Injection in ChurchCRM /PaddleNumEditor.php Allows Data Access

Publication date: 2026-01-30

Last updated on: 2026-02-17

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24854
EUVD
EUVD-2026-5023
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 6.7.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24854 is a high-severity SQL injection vulnerability in ChurchCRM's PaddleNumEditor.php endpoint. It occurs because the PerID parameter from a POST request is not properly sanitized or type cast before being concatenated into an SQL query. This allows any authenticated user, even those with zero assigned permissions, to inject malicious SQL code. The vulnerability enables attackers to manipulate the database queries, potentially leading to unauthorized data access or modification. [1]

Impact Analysis

Exploitation of this vulnerability can lead to complete compromise of the ChurchCRM database, including reading, writing, and deleting data. Attackers can extract all sensitive information stored in ChurchCRM, escalate privileges, and possibly execute remote code depending on the SQL server configuration. The impact affects confidentiality, integrity, and availability of the system with high severity. [1]

Detection Guidance

This vulnerability can be detected by attempting to exploit the SQL injection in the /PaddleNumEditor.php endpoint using the PerID parameter. A proof-of-concept involves injecting payloads such as 'sleep(5)-- -' into the PerID parameter and observing a delay in the response time, indicating SQL execution. Automated tools like sqlmap can be used to test for this SQL injection by targeting the POST request to /PaddleNumEditor.php with the PerID parameter. Additionally, intercepting and modifying POST requests to this endpoint while logged in as any authenticated user can help detect the vulnerability. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade ChurchCRM to version 6.7.2 or later, where the vulnerability is patched. The patch involves casting the PerID, Num, and related parameters to integers before using them in SQL queries, preventing SQL injection. If upgrading is not immediately possible, ensure that input parameters to /PaddleNumEditor.php are properly sanitized and type cast to integers to prevent malicious input from altering SQL queries. [2]

Compliance Impact

The SQL injection vulnerability in ChurchCRM allows any authenticated user to execute arbitrary SQL commands, potentially leading to complete database compromise including reading, modifying, or deleting sensitive data. This could result in unauthorized access to personal or sensitive information managed by the system, thereby risking non-compliance with data protection regulations such as GDPR or HIPAA, which require safeguarding sensitive data against unauthorized access and breaches. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24854. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart