What is CVE-2026-40593?

CVE-2026-40593 is a medium-severity vulnerability in Churchcrm Crm, classified under Cross-site Scripting. CVSS score: 4.8/10. Published 2026-04-18.

How severe is CVE-2026-40593?

Medium severity. CVSS v3 base score is 4.8 out of 10.

XSS in Churchcrm Crm

CVE-2026-40593

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) renders stored usernames directly into an HTML input value attribute without applying htmlspecialchars(). An administrator c…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (1.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.8 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N.

Affected products

Churchcrm Crm — versions < 7.2.0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting
CWE-116 — Improper Encoding or Escaping of Output

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7h46-9f64-p49q (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-40593?: CVE-2026-40593 is a medium-severity vulnerability in Churchcrm Crm, classified under Cross-site Scripting. CVSS score: 4.8/10. Published 2026-04-18.
How severe is CVE-2026-40593?: Medium severity. CVSS v3 base score is 4.8 out of 10.