Skip to main content

ChurchCRM CVE-2026-40483

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-18 security-advisories@github.com
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 18, 2026 - 00:40 vuln.today
Analysis Generated
Apr 18, 2026 - 00:22 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permissions can inject HTML attribute-breaking characters and event handlers into the comment field, which are stored in the database and execute in the browser of any user who subsequently opens the pledge record for editing, resulting in stored XSS. This issue has been fixed in version 7.2.0.

AnalysisAI

ChurchCRM versions prior to 7.2.0 allow authenticated users with Finance permissions to store malicious JavaScript in pledge donation comments via missing HTML escaping, which executes in the browsers of any subsequent users who edit the pledge record, resulting in stored cross-site scripting (XSS). The vulnerability requires Finance role access and victim interaction (opening the pledge editor), but affects all users who view the compromised record, with no known public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

The Pledge Editor in ChurchCRM directly renders donation comment values into HTML input value attributes without sanitization via htmlspecialchars() or equivalent output encoding. This is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability. The stored XSS vector occurs because comments are persisted to the database unescaped and later rendered without escaping when the pledge record is loaded for editing. The vulnerability chain involves: (1) authenticated Finance user injects malicious HTML/JavaScript into comment field, (2) application stores unescaped payload in database, (3) any user opening that pledge record in the editor receives the comment value in an HTML attribute without context-appropriate escaping, (4) browser interprets the payload within the attribute context (e.g., onmouseover="malicious code"), executing JavaScript in the victim's security context.

Affected ProductsAI

ChurchCRM versions prior to 7.2.0 are affected. The vulnerability exists across all deployment instances running versions 7.1.x and earlier. No CPE string is listed in available references, but GitHub repository identification is: ChurchCRM/CRM (https://github.com/ChurchCRM/CRM). The fix is available in ChurchCRM version 7.2.0 and later.

RemediationAI

Upgrade ChurchCRM to version 7.2.0 or later immediately, which includes the htmlspecialchars() escaping fix applied in commit b3da72a2b35f9c600e340a9dfd35e7792ff4f899. If immediate upgrade is not feasible, implement compensating controls: (1) restrict Finance role assignment to trusted administrators only and audit existing Finance users for legitimacy, with trade-off being reduced operational flexibility; (2) disable or restrict access to the Pledge Editor feature until patched, using application-level access controls or reverse proxy rules blocking /pledges or similar pledge-related endpoints, with trade-off being inability to edit pledges remotely; (3) deploy a Web Application Firewall (WAF) with Content Security Policy (CSP) headers (e.g., script-src 'self') to limit malicious script execution even if XSS payloads reach browsers, though this does not prevent the stored XSS itself and requires careful policy tuning to avoid breaking legitimate functionality. See GitHub Security Advisory GHSA-wjmf-w8gj-rx7g and PR #8609 for patch details and testing guidance.

Share

CVE-2026-40483 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy