cbcvebase.
CVE-2026-39390
published 2026-04-08

CVE-2026-39390: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to…

PriorityP423medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.24%
14.4th percentile
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
ci4-cms-erpci4ms< 0.31.4.00.31.4.0
ci4-cms-erpci4ms<= 0.31.3.0
ci4-cms-erpci4ms>= 0 < 0.31.4.00.31.4.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.