Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
ChurchCRM Pledge Editor allows malicious HTML injection
CVE-2026-40483
Summary
A security issue affects ChurchCRM's Pledge Editor in versions older than 7.2.0. An attacker with Finance permissions can inject malicious code into donation comments, which can harm other users who open the pledge record. Update to version 7.2.0 or later to fix the issue.
Original title
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via ht...
Original description
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permissions can inject HTML attribute-breaking characters and event handlers into the comment field, which are stored in the database and execute in the browser of any user who subsequently opens the pledge record for editing, resulting in stored XSS. This issue has been fixed in version 7.2.0.
nvd CVSS3.1
5.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
CWE-116
Published: 18 Apr 2026 · Updated: 18 Apr 2026 · First seen: 18 Apr 2026