Nixpkgs Security Tracker

Dismissed

Permalink CVE-2026-24854

8.8 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 1 month, 2 weeks ago by @LeSuisse Activity log

Created automatic suggestion 1 month, 3 weeks ago
@LeSuisse removed
4 packages
- ocrmypdf
- python312Packages.ocrmypdf
- python313Packages.ocrmypdf
- wordpressPackages.plugins.civicrm
1 month, 2 weeks ago
@LeSuisse dismissed 1 month, 2 weeks ago

Church CRM has SQL injection in PaddleNumEditor.php

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue.

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr x_refsource_CONFIRM
http://github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38 x_refsource_MISC

Affected products

CRM

==< 6.7.2

Not present in nixpkgs

Suggestion detail

References

Affected products