← Volver a CVEs
CVE-2026-40483
MEDIUM5.4
Descripcion
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permissions can inject HTML attribute-breaking characters and event handlers into the comment field, which are stored in the database and execute in the browser of any user who subsequently opens the pledge record for editing, resulting in stored XSS. This issue has been fixed in version 7.2.0.
Detalles CVE
Puntuacion CVSS v3.15.4
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioREQUIRED
Publicado4/18/2026
Ultima modificacion4/20/2026
Fuentenvd
Avistamientos honeypot0
Debilidades (CWE)
CWE-79CWE-116
Referencias
https://github.com/ChurchCRM/CRM/commit/b3da72a2b35f9c600e340a9dfd35e7792ff4f899(security-advisories@github.com)
https://github.com/ChurchCRM/CRM/pull/8609(security-advisories@github.com)
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-wjmf-w8gj-rx7g(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.