Cross-Site Scripting Vulnerability in CI4MS by CodeIgniter
CVE-2026-39392

5.5MEDIUM

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 8 April 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-39392?

The CI4MS content management system, built on CodeIgniter 4, has a vulnerability that allows authenticated administrators with page-editing privileges to insert arbitrary JavaScript into web pages. This occurs due to the Pages module not implementing adequate HTML sanitization via the html_purify validation rule during content creation and updates, resulting in unfiltered HTML being stored directly in the database. Consequently, this unprotected content is rendered on the public frontend, posing a risk of XSS attacks to users visiting the affected pages, with the potential for malicious scripts to execute in their browsers.

Affected Version(s)

ci4ms < 0.31.4.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39392 Data

JSON