ChurchCRM, an open-source church management system, contains a critical SQL Injection vulnerability identified as CVE-2026-24854 (CWE-89) in its /PaddleNumEditor.php endpoint. This vulnerability arises from improper neutralization of special elements in the SQL command via the PerID parameter. Any authenticated user, including those with zero assigned permissions, can exploit this flaw to inject malicious SQL code. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and only low privileges (PR:L) with no user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability (C:H/I:H/A:H) of the database, potentially allowing attackers to read, modify, or delete sensitive data or disrupt service. The flaw affects all ChurchCRM versions prior to 6.7.2, which includes a patch to fix the issue. Although no known exploits have been reported in the wild, the ease of exploitation and high impact make this a significant threat. The vulnerability is particularly concerning because it allows exploitation by any authenticated user, lowering the barrier for attackers who gain minimal access.

For European organizations using ChurchCRM, this vulnerability poses a serious risk of data breaches, unauthorized data manipulation, and service outages. Churches and religious organizations often store sensitive personal data of their members, including contact information, donation records, and event participation details. Exploitation could lead to exposure of personally identifiable information (PII), financial fraud, or reputational damage. The ability for low-privilege users to execute SQL Injection attacks increases the risk from insider threats or compromised accounts. Additionally, disruption of church management services could impact operational continuity. Given the high CVSS score and the critical nature of the vulnerability, organizations that have not applied the patch are at significant risk of compromise.

European organizations should immediately upgrade ChurchCRM to version 6.7.2 or later, which contains the official patch for this vulnerability. Until the upgrade is applied, organizations should restrict access to the /PaddleNumEditor.php endpoint to trusted users only and implement strict authentication and monitoring controls to detect anomalous database queries. Employing Web Application Firewalls (WAFs) with SQL Injection detection rules can help mitigate exploitation attempts. Regularly audit user permissions to ensure no unnecessary accounts have authentication access, and enforce strong password policies to reduce the risk of account compromise. Additionally, database activity monitoring should be enabled to detect suspicious SQL commands. Organizations should also review logs for any signs of attempted exploitation and prepare incident response plans specific to SQL Injection attacks.