CVE-2026-40593

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.2.0

Description The User Editor (UserEditor.php) renders stored usernames directly into an HTML input value attribute without applying htmlspecialchars(), a function used to convert special characters to HTML entities to prevent the browser from interpreting them as code. An administrator can save a username containing HTML attribute-breaking characters and event handlers, which execute in the browser of any administrator who subsequently views that user's editor page, resulting in stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server.

Recommendations Update to version 7.2.0.