CVE-2026-24854

HighPublic PoC

Published: 30 January 2026

Published

30 January 2026

Modified

17 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 10.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24854 is a high-severity SQL Injection (CWE-89) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 4 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection vulnerabilities like CVE-2026-24854 by requiring validation and sanitization of user inputs such as the PerID parameter to block arbitrary SQL execution.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of system flaws, such as patching ChurchCRM to version 6.7.2 to remediate the SQL injection in PaddleNumEditor.php.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Requires vulnerability scanning that would identify SQL injection flaws like CVE-2026-24854 in endpoints such as PaddleNumEditor.php prior to exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

SQL injection in network-accessible web endpoint directly enables remote exploitation of public-facing app (T1190); bypasses permission model for high-impact DB access from zero-priv accounts (T1068); allows arbitrary queries against the application database (T1213.006); supports table deletion (T1485) and content alteration (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2…

contains a patch for the issue.

Deeper analysisAI

CVE-2026-24854 is a SQL injection vulnerability (CWE-89) affecting ChurchCRM, an open-source church management system, in versions prior to 6.7.2. The flaw resides in the `/PaddleNumEditor.php` endpoint, where the `PerID` parameter fails to properly sanitize user input, allowing arbitrary SQL queries to be executed. Published on January 30, 2026, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low complexity and privileges.

Any authenticated user, including those with zero assigned permissions, can exploit this vulnerability over the network without user interaction. Successful exploitation enables attackers to read sensitive data from the database (high confidentiality impact), modify database contents (high integrity impact), and potentially disrupt service availability (high availability impact), such as extracting church member records, altering financial data, or deleting tables.

ChurchCRM version 6.7.2 addresses the issue with a patch, as detailed in the project's GitHub security advisory (GHSA-p3q7-q68q-h2gr) and the specific commit (748f5084fc06c5e12463dc7fdd62d1d31fc08d38). Security practitioners should urge users to upgrade immediately and review access controls for the affected endpoint.

Details

CWE(s): CWE-89

Affected Products

churchcrm

≤ 6.7.2

CVEs Like This One

CVE-2026-39329Same product: Churchcrm Churchcrm

CVE-2025-1135Same product: Churchcrm Churchcrm

CVE-2026-39343Same product: Churchcrm Churchcrm

CVE-2025-1023Same product: Churchcrm Churchcrm

CVE-2026-39340Same product: Churchcrm Churchcrm

CVE-2025-1134Same product: Churchcrm Churchcrm

CVE-2026-39319Same product: Churchcrm Churchcrm

CVE-2025-1133Same product: Churchcrm Churchcrm

CVE-2026-39342Same product: Churchcrm Churchcrm

CVE-2025-1132Same product: Churchcrm Churchcrm

References

http://github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38
Patch · security-advisories@github.com
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr
Exploit, Vendor Advisory · security-advisories@github.com