CVE-2026-40593
Received Received - Intake
Stored XSS in ChurchCRM UserEditor.php Allows Admin Browser Exploitation

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) renders stored usernames directly into an HTML input value attribute without applying htmlspecialchars(). An administrator can save a username containing HTML attribute-breaking characters and event handlers, which execute in the browser of any administrator who subsequently views that user's editor page, resulting in stored XSS. This issue has been fixed in version 7.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40593
EUVD
EUVD-2026-23621
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 7.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ChurchCRM versions prior to 7.2.0 in the User Editor component (UserEditor.php). The system renders stored usernames directly into an HTML input value attribute without using htmlspecialchars(), which is a function that escapes special HTML characters. Because of this, an administrator can save a username containing HTML attribute-breaking characters and event handlers. When another administrator views that user's editor page, the malicious code executes in their browser, resulting in a stored Cross-Site Scripting (XSS) attack.

Impact Analysis

The vulnerability allows an attacker with administrator privileges to inject malicious scripts into usernames. These scripts execute in the browsers of other administrators who view the affected user editor page. This can lead to unauthorized actions performed on behalf of administrators, theft of sensitive information such as session tokens, or other malicious activities within the administrative interface.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ChurchCRM to version 7.2.0 or later, where the issue has been fixed.

This update ensures that usernames are properly escaped using htmlspecialchars(), preventing stored XSS attacks.

Compliance Impact

The vulnerability in ChurchCRM allows stored cross-site scripting (XSS) attacks through the User Editor, which can lead to unauthorized script execution in the browsers of administrators viewing affected user profiles.

Such vulnerabilities can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access or exposure of personal or sensitive data, violating data protection and privacy requirements.

Specifically, GDPR requires organizations to implement appropriate technical measures to protect personal data, and HIPAA mandates safeguards to ensure the confidentiality, integrity, and availability of protected health information. An XSS vulnerability could undermine these safeguards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40593. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart