CVE-2026-39391
published 2026-04-08CVE-2026-39391: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to…
PriorityP422medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.23%
13.8th percentile
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page. This vulnerability is fixed in 0.31.4.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ci4-cms-erp | ci4ms | < 0.31.4.0 | 0.31.4.0 |
| ci4-cms-erp | ci4ms | >= 0 < 0.31.4.0 | 0.31.4.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List
osv·2026-04-08
CVE-2026-39391 [MEDIUM] CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List
CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List
## Summary
The blacklist (ban) note parameter in `UserController::ajax_blackList_post()` is stored in the database without sanitization and rendered into an HTML `data-note` attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page.
## Details
In `modules/Users/Controllers/UserController.php`, the `ajax_blackList_post()` method (line 344-362) accepts a `note` POST parameter with only a `required` validation rule:
```php
// Line 347 — validation only checks 'required', no sanitization
$valData = (['note' => ['label' => lang('Backend.notes'), 'rules' => 'required'],
'uid' => ['label' => 'uid', 'rules'
GHSA
CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List
ghsa·2026-04-08
CVE-2026-39391 [MEDIUM] CWE-79 CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List
CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List
## Summary
The blacklist (ban) note parameter in `UserController::ajax_blackList_post()` is stored in the database without sanitization and rendered into an HTML `data-note` attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page.
## Details
In `modules/Users/Controllers/UserController.php`, the `ajax_blackList_post()` method (line 344-362) accepts a `note` POST parameter with only a `required` validation rule:
```php
// Line 347 — validation only checks 'required', no sanitization
$valData = (['note' => ['label' => lang('Backend.notes'), 'rules' => 'required'],
'uid' => ['label' => 'uid', 'rules'
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-39393 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-39393 [MEDIUM] CVE-2026-39393 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39393 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file existence to block post-installation access to the setup wizard. When the database is temporarily unreachable during a cache miss (TTL expiry or admin-triggered cache clear), the guard fails open, allowing an unauthenticated attacker to overwrite the .env file with attacker-controlled database credentials, achieving full application takeover. This vulnerability is fixed in 0.31.4.0.
Source : NVD
## 8.1
Score
Published April 8, 2026
Severity HIGH
Wiz
CVE-2026-39367 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-39367 [MEDIUM] CVE-2026-39367 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39367 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epg_link to a malicious XML file whose elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.
Source : NVD
## 5.4
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probab
Wiz
CVE-2026-39370 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-39370 [HIGH] CVE-2026-39370 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39370 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732.
Source : NVD
## 7.1
Score
Published April 7, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KE
Wiz
CVE-2026-39391 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-39391 [MEDIUM] CVE-2026-39391 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39391 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page. This vulnerability is fixed in 0.31.4.0.
Source : NVD
## 4.8
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA
Wiz
CVE-2026-39394 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-39394 [MEDIUM] CVE-2026-39394 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39394 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings(), which writes it into the .env file via preg_replace(). Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration directives into the .env file. The install routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when cache('settings') is empty (cache expiry or fresh deployment). This vulnerability is fixed in 0.31.4.0.
Source : NVD
## 8.1
Score
Published
Wiz
CVE-2026-39976 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-39976 [MEDIUM] CVE-2026-39976 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39976 :
PHP vulnerability analysis and mitigation
Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard then passes this value to retrieveById() without validating it's actually a user identifier, potentially resolving an unrelated real user. Any machine-to-machine token can inadvertently authenticate as an actual user. This vulnerability is fixed in 13.7.1.
Source : NVD
## 7.1
Score
Published April 9, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due
Wiz
CVE-2026-31353 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-31353 [MEDIUM] CVE-2026-31353 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31353 :
PHP vulnerability analysis and mitigation
An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.
Source : NVD
## 5.4
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
feehi/cms
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on w
Wiz
CVE-2026-31351 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-31351 [MEDIUM] CVE-2026-31351 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31351 :
PHP vulnerability analysis and mitigation
An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter.
Source : NVD
## 4.8
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
feehi/cms
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can f
Wiz
CVE-2026-39369 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-39369 [HIGH] CVE-2026-39369 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39369 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL.
Source : NVD
## 7.6
Score
Published April 7, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-39368 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-39368 [MEDIUM] CVE-2026-39368 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39368 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.
Source : NVD
## 6.5
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.1
Explo
Wiz
CVE-2026-39390 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-39390 [MEDIUM] CVE-2026-39390 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39390 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0.
Source : NVD
## 5.5
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.5
Affec
Wiz
CVE-2026-31354 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-31354 [MEDIUM] CVE-2026-31354 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31354 :
PHP vulnerability analysis and mitigation
Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Group, Category or Description parameters.
Source : NVD
## 5.4
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
feehi/cms
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CV
Wiz
CVE-2026-39389 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2026-39389 [MEDIUM] CVE-2026-39389 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39389 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.
Source : NVD
## 6.7
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.7
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ci4-cms-erp/ci4ms
Sources
NVD
Composer Severity MEDIUM Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitab
Wiz
CVE-2026-31352 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-31352 [MEDIUM] CVE-2026-31352 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31352 :
PHP vulnerability analysis and mitigation
An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Role Name parameter.
Source : NVD
## 5.4
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
feehi/cms
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can
Wiz
CVE-2026-31350 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-31350 [MEDIUM] CVE-2026-31350 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31350 :
PHP vulnerability analysis and mitigation
An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign parameter.
Source : NVD
## 5.4
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
feehi/cms
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, n
Wiz
CVE-2026-39392 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-39392 [MEDIUM] CVE-2026-39392 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39392 :
PHP vulnerability analysis and mitigation
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html_purify validation rule to content fields during create and update operations, while the Blog module does. Page content is stored unsanitized in the database and rendered as raw HTML on the public frontend via echo $pageInfo->content. An authenticated admin with page-editing privileges can inject arbitrary JavaScript that executes in the browser of every public visitor viewing the page. This vulnerability is fixed in 0.31.4.0.
Source : NVD
## 5.5
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.5
Affected Techno
Wiz
CVE-2026-39366 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-39366 [MEDIUM] CVE-2026-39366 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39366 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate via PayPalYPT_log entries, but the v1 handler was never updated and remains actively referenced as the notify_url for billing plans.
Source : NVD
## 6.5
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2026-31313 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-31313 [MEDIUM] CVE-2026-31313 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31313 :
PHP vulnerability analysis and mitigation
An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Content field.
Source : NVD
## 5.4
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
PHP
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
feehi/cms
Sources
NVD
Composer Severity MEDIUM No Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
2026-04-08
Published