CVE-2026-39390
published 2026-04-08CVE-2026-39390: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to…
PriorityP423medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.24%
14.4th percentile
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ci4-cms-erp | ci4ms | < 0.31.4.0 | 0.31.4.0 |
| ci4-cms-erp | ci4ms | <= 0.31.3.0 | — |
| ci4-cms-erp | ci4ms | >= 0 < 0.31.4.0 | 0.31.4.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting
ghsa·2026-04-08
CVE-2026-39390 [MEDIUM] CWE-79 CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting
CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting
## Summary
The Google Maps iframe setting (`cMap` field) in `compInfosPost()` sanitizes input using `strip_tags()` with an `` allowlist and regex-based removal of `on\w+` event handlers. However, the `srcdoc` attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an `` payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors.
## Details
**Input sanitization** (`modules/Settings/Controllers/Settings.php:49-53`):
```php
$mapValue = trim(strip_tags($this->request->getPost('cMap'), ''));
$mapValue = preg_replace('/\bon\w+\s*=\s*"[^"]*"/i', '', $mapValue);
$mapValue = preg_re
OSV
CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting
osv·2026-04-08
CVE-2026-39390 [MEDIUM] CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting
CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting
## Summary
The Google Maps iframe setting (`cMap` field) in `compInfosPost()` sanitizes input using `strip_tags()` with an `` allowlist and regex-based removal of `on\w+` event handlers. However, the `srcdoc` attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an `` payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors.
## Details
**Input sanitization** (`modules/Settings/Controllers/Settings.php:49-53`):
```php
$mapValue = trim(strip_tags($this->request->getPost('cMap'), ''));
$mapValue = preg_replace('/\bon\w+\s*=\s*"[^"]*"/i', '', $mapValue);
$mapValue = preg_re
No detection rules found.
No public exploits indexed.
2026-04-08
Published