CVE-2026-39390
Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an <iframe> allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an <iframe srcdoc="..."> payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ci4-cms-erp/ci4msPackagist | < 0.31.4.0 | 0.31.4.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-x3hr-cp7x-44r2ghsaADVISORY
- github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-39390ghsaADVISORY
- github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0ghsaWEB
News mentions
0No linked articles in our index yet.