CVE-2026-24854

High CVSS: 8.8

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue.

Vendor

Churchcrm

Product

Churchcrm

CWE

CWE-89

Yayın Tarihi

2026-01-30 16:16:13

Güncelleme

2026-02-17 14:33:24

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-89 Churchcrm HIGH Churchcrm 2026

Referanslar

http://github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38 https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr

Benzer Kayıtlar

Medium

CVE-2026-32880

ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type syst…

Low

CVE-2026-26059

ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated u…

High

CVE-2026-24855

ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) v…

Low

CVE-2025-68399

ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting…

Critical

CVE-2025-68400

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Repo…

Medium

CVE-2025-68401

ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/…