Medium severity5.4NVD Advisory· Published Apr 18, 2026· Updated Apr 20, 2026

CVE-2026-40483

Description

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permissions can inject HTML attribute-breaking characters and event handlers into the comment field, which are stored in the database and execute in the browser of any user who subsequently opens the pledge record for editing, resulting in stored XSS. This issue has been fixed in version 7.2.0.

Affected products

Churchcrm/Crmreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/ChurchCRM/CRM/commit/b3da72a2b35f9c600e340a9dfd35e7792ff4f899nvd
github.com/ChurchCRM/CRM/pull/8609nvd
github.com/ChurchCRM/CRM/security/advisories/GHSA-wjmf-w8gj-rx7gnvd

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000