Cross-Site Scripting Vulnerability in CI4MS Content Management System by CodeIgniter
CVE-2026-39391

4.8MEDIUM

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 8 April 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-39391?

The CI4MS Content Management System suffers from a Cross-Site Scripting vulnerability due to the lack of sanitization on the blacklist note parameter. This flaw allows an admin user with blacklist privileges to inject arbitrary JavaScript code, which subsequently executes in the browsers of other administrators who access the user management page. This issue has been addressed in version 0.31.4.0 of CI4MS.

Affected Version(s)

ci4ms < 0.31.4.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39391 Data

JSON