{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24854", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-27T14:51:03.061Z", "datePublished": "2026-01-30T15:05:12.017Z", "dateUpdated": "2026-01-30T15:57:32.491Z"}, "containers": {"cna": {"title": "Church CRM has SQL injection in PaddleNumEditor.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr"}, {"name": "http://github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38", "tags": ["x_refsource_MISC"], "url": "http://github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 6.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-30T15:05:12.017Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue."}], "source": {"advisory": "GHSA-p3q7-q68q-h2gr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-30T15:56:43.052242Z", "id": "CVE-2026-24854", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T15:57:32.491Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24854", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-30T15:56:43.052242Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T15:56:57.505Z"}}], "cna": {"title": "Church CRM has SQL injection in PaddleNumEditor.php", "source": {"advisory": "GHSA-p3q7-q68q-h2gr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 6.7.2"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr", "tags": ["x_refsource_CONFIRM"]}, {"url": "http://github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38", "name": "http://github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-30T15:05:12.017Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24854", "state": "PUBLISHED", "dateUpdated": "2026-01-30T15:57:32.491Z", "dateReserved": "2026-01-27T14:51:03.061Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-30T15:05:12.017Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "161E79F7-BCB4-4899-A126-EDBC227BE903", "versionEndExcluding": "6.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue."}], "id": "CVE-2026-24854", "lastModified": "2026-02-17T14:33:24.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-30T16:16:13.620", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "http://github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:07:15.401992+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version\u202f6.7.2 or later to remove the injection flaw. ", "Audit user accounts and revoke or assign proper permissions so that no authenticated user has zero privileges. ", "Add input validation or use parameterized queries in PaddleNumEditor.php to ensure the PerID value is strictly checked before database use."], "summary": {"action": "Apply patch", "impact": "SQL injection enabling data manipulation or disclosure by any authenticated user"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the ChurchCRM product for all releases prior to version 6.7.2. Users running earlier builds of the CRM must review the upgrade path, as the patch is included starting with release 6.7.2.", "description_and_impact": "A SQL injection flaw lives in ChurchCRM\u2019s /PaddleNumEditor.php endpoint in versions earlier than 6.7.2. Any authenticated user, even if granted no permissions, can supply a crafted PerID parameter that is concatenated directly into a database query. This omission of input sanitization can permit the attacker to execute arbitrary SQL statements against the application\u2019s database, potentially allowing unauthorized disclosure, alteration, or deletion of church data.", "risk_and_exploitability": "The CVSS score of 8.8 signals high severity, while the EPSS value of less than 1% indicates the likelihood of exploitation is currently very low. The report is not listed in the CISA KEV catalog, so no public exploits are known. However, the flaw requires authentication; once an attacker has valid credentials, they can directly target the vulnerable endpoint with a malicious PerID payload, potentially compromising the entire database."}}}}, "created": "2026-02-02T09:27:37.204513+00:00", "updated": "2026-04-18T01:15:05.988114+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}