← back
CVE-2026-40593

ChurchCRM: Stored XSS in UserEditor.php via Login Name Field

CVSS 4.8 MEDIUMEPSS 0.2%CWE-116CWE-79
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.8EPSS 0.2%KEV nãoPoC Patch
Lifecycle
18 Apr 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) renders stored usernames directly into an HTML input value attribute without applying htmlspecialchars(). An administrator can save a username containing HTML attribute-breaking characters and event handlers, which execute in the browser of any administrator who subsequently views that user's editor page, resulting in stored XSS. This issue has been fixed in version 7.2.0.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Affected products
ChurchCRM · CRM

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7h46-9f64-p49q