CVE-2026-40483

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.2.0

Description The Pledge Editor renders donation comment values directly into HTML input value attributes without proper escaping. An authenticated user with Finance permissions can inject HTML attribute-breaking characters and event handlers into the comment field. These are stored in the database and execute in the browser of any user who opens the pledge record for editing, leading to stored Cross-Site Scripting (XSS), which is a technique where malicious scripts are injected into trusted websites.

Recommendations Update to version 7.2.0.