← voltar
CVE-2026-40593

ChurchCRM: Stored XSS in UserEditor.php via Login Name Field

CVSS 4.8 MEDIUMEPSS 0.2%CWE-116CWE-79
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 4.8EPSS 0.2%KEV nãoPoC Patch
Ciclo de vida
18 abr 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) renders stored usernames directly into an HTML input value attribute without applying htmlspecialchars(). An administrator can save a username containing HTML attribute-breaking characters and event handlers, which execute in the browser of any administrator who subsequently views that user's editor page, resulting in stored XSS. This issue has been fixed in version 7.2.0.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Produtos afetados
ChurchCRM · CRM

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7h46-9f64-p49q