Vulnerability Type: SQL Injection Vulnerable Component: ChurchCRM / PaddleNumEditor.php Severity: High (CVSS: 8.8/10) Affected Version: 6.6.1 Patched Version: None CVE ID: CVE-2026-24854 Weakness: CWE-89 Summary: - A critical SQL injection vulnerability in the endpoint of ChurchCRM 6.6.1 allows any authenticated user, even those with zero assigned permissions, to exploit SQL injection through the parameter. Details: - The vulnerable code is located in . - Lines 42-43 do not cast input values to integers, nor do they apply proper escaping, quoting, type enforcement, or parameter binding. - Malicious payloads containing 'or' or '--' can break logic and execute the vulnerable SQL. - A payload delays the response, indicating SQL execution. PoC: - Step-by-step instructions and video evidence show how an attacker with zero permissions can exploit the vulnerability. Impact: - Complete database compromise. - Extraction of all sensitive ChurchCRM data. - Potential for privilege escalation. - Potential for RCE depending on SQL functions and configuration.