CVE-2026-40483

MEDIUM

2026-04-18 [email protected]

XSS

5.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 18, 2026 - 00:40 vuln.today

DescriptionNVD

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permissions can inject HTML attribute-breaking characters and event handlers into the comment field, which are stored in the database and execute in the browser of any user who subsequently opens the pledge record for editing, resulting in stored XSS. This issue has been fixed in version 7.2.0.

AnalysisAI

ChurchCRM versions prior to 7.2.0 allow authenticated users with Finance permissions to store malicious JavaScript in pledge donation comments via missing HTML escaping, which executes in the browsers of any subsequent users who edit the pledge record, resulting in stored cross-site scripting (XSS). The vulnerability requires Finance role access and victim interaction (opening the pledge editor), but affects all users who view the compromised record, with no known public exploit code or active exploitation confirmed at time of analysis.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-40483 vulnerability details – vuln.today

Back