CodeIgniter 4-based CMS Skeleton Vulnerability in Mail Settings
CVE-2026-27599

4.7MEDIUM

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 30 March 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-27599?

The CI4MS application, built on the CodeIgniter 4 framework, has a vulnerability that arises from inadequate sanitization of user-controlled input in the Mail Settings configuration. Prior to version 0.31.0.0, it permits malicious users to inject harmful data into multiple fields such as Mail Server, Mail Port, Email Address, Email Password, and TLS settings. This poorly handled input is stored on the server and subsequently displayed without proper encoding, posing a risk for cross-site scripting (XSS) attacks. The issue has been remedied in the latest update.

Affected Version(s)

ci4ms < 0.31.0.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2026
Vulnerability Reserved
Feb 20, 2026

CVE-2026-27599 Data

JSON