Stored XSS Vulnerability in ChurchCRM Management System
CVE-2026-40593

4.8MEDIUM

Key Information:

Vendor: Churchcrm
Status: Crm
Vendor: CVE Published:; 18 April 2026

What is CVE-2026-40593?

The ChurchCRM management system is susceptible to a stored XSS vulnerability due to improper handling of HTML characters in usernames. This issue arises in versions prior to 7.2.0, where the User Editor (UserEditor.php) directly renders stored usernames into HTML input value attributes without utilizing htmlspecialchars(). As a result, an attacker can save a username that contains malicious HTML characters or event handlers, which will execute in the browser of any administrator who accesses that user's editor page. This vulnerability poses significant risks as it enables the potential execution of arbitrary scripts, thus compromising the security of administrative users.

Affected Version(s)

CRM < 7.2.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2026
Vulnerability Reserved
Apr 14, 2026

CVE-2026-40593 Data

JSON

Churchcrm

What is CVE-2026-40593?

Affected Version(s)

References

CVSS V3.1

Timeline