CodeIgniter 4-based CMS Skeleton Vulnerability in CI4MS
CVE-2026-39390

5.5MEDIUM

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 8 April 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-39390?

CI4MS, a CodeIgniter 4-based Content Management System, has a vulnerability that allows an authenticated admin user to inject malicious iframes into the platform. Specifically, prior to version 0.31.4.0, the sanitization process for the Google Maps iframe setting fails to adequately filter the 'srcdoc' attribute. This oversight permits the injection of an payload that carries HTML-entity-encoded JavaScript. When displayed to unauthenticated users on the frontend, this malicious script executes within the context of the parent page, potentially compromising user data and security. This vulnerability has been addressed in the latest release.

Affected Version(s)

ci4ms < 0.31.4.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39390 Data

JSON