CVE-2026-40593
Received Received - Intake

Stored XSS in ChurchCRM UserEditor.php Allows Admin Browser Exploitation

Vulnerability report for CVE-2026-40593, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: GitHub, Inc.

Description

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) renders stored usernames directly into an HTML input value attribute without applying htmlspecialchars(). An administrator can save a username containing HTML attribute-breaking characters and event handlers, which execute in the browser of any administrator who subsequently views that user's editor page, resulting in stored XSS. This issue has been fixed in version 7.2.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-07-06
AI Q&A
2026-04-18
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 7.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in ChurchCRM versions prior to 7.2.0 in the User Editor component (UserEditor.php). The system renders stored usernames directly into an HTML input value attribute without using htmlspecialchars(), which is a function that escapes special HTML characters. Because of this, an administrator can save a username containing HTML attribute-breaking characters and event handlers. When another administrator views that user's editor page, the malicious code executes in their browser, resulting in a stored Cross-Site Scripting (XSS) attack.

Impact Analysis

The vulnerability allows an attacker with administrator privileges to inject malicious scripts into usernames. These scripts execute in the browsers of other administrators who view the affected user editor page. This can lead to unauthorized actions performed on behalf of administrators, theft of sensitive information such as session tokens, or other malicious activities within the administrative interface.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ChurchCRM to version 7.2.0 or later, where the issue has been fixed.

This update ensures that usernames are properly escaped using htmlspecialchars(), preventing stored XSS attacks.

Compliance Impact

The vulnerability in ChurchCRM allows stored cross-site scripting (XSS) attacks through the User Editor, which can lead to unauthorized script execution in the browsers of administrators viewing affected user profiles.

Such vulnerabilities can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access or exposure of personal or sensitive data, violating data protection and privacy requirements.

Specifically, GDPR requires organizations to implement appropriate technical measures to protect personal data, and HIPAA mandates safeguards to ensure the confidentiality, integrity, and availability of protected health information. An XSS vulnerability could undermine these safeguards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40593. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart