Stored XSS Vulnerability in ChurchCRM Affects Versions Prior to 7.2.0
CVE-2026-40483

5.4MEDIUM

Key Information:

Vendor

Churchcrm

Status
Crm
Vendor
CVE Published:
17 April 2026

What is CVE-2026-40483?

In ChurchCRM, an open-source church management system, versions prior to 7.2.0 are susceptible to a stored Cross-Site Scripting (XSS) vulnerability. The issue arises when the Pledge Editor directly renders donation comment values into HTML input value attributes without proper escaping. This flaw allows authenticated users with Finance permissions to inject malicious HTML attributes and event handlers into the comment field. These injected scripts are then stored in the database and executed in the browsers of users who access the pledge record for editing. The vulnerability poses significant risks to user data integrity and security.

Affected Version(s)

CRM < 7.2.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ChurchCRM/CRM/pull/8609
x_refsource_MISC
https://github.com/ChurchCRM/CRM/commit/b3da72a2b35f9c600...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.