CVE-2026-40483 in ChurchCRMالمعلومات

الملخص

بحسب MITRE • 18/04/2026

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permissions can inject HTML attribute-breaking characters and event handlers into the comment field, which are stored in the database and execute in the browser of any user who subsequently opens the pledge record for editing, resulting in stored XSS. This issue has been fixed in version 7.2.0.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

GitHub M

حجز

13/04/2026

إفشاء

18/04/2026

الاعتدال

تمت الموافقة

إدخال

VDB-358186

CPE

جاهز

CWE

CWE-79 (مؤكد)

CVSS

5.4 (CNA)

EPSS

0.00009

KEV

لا

النشاطات

منخفض

المصادر

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-40483
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-40483
CVE Details	https://www.cvedetails.com/cve/CVE-2026-40483/

التالي ▸نظرة عامة ◂ السابق

Want to stay up to date on a daily basis?

Enable the mail alert feature now!