CVE-2026-39390
Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ci4-cms-erp/ci4msPackagist | < 0.31.4.0 | 0.31.4.0 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-x3hr-cp7x-44r2ghsaADVISORY
- github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-39390ghsaADVISORY
- github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0ghsaWEB
News mentions
0No linked articles in our index yet.