CVE-2026-39392

MEDIUM 5.5

CI4MS has Stored XSS in Pages Content Due to Missing html_purify Sanitization

CVSS Score

5.5

EPSS Score

0.0%

EPSS Percentile

0th

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html_purify validation rule to content fields during create and update operations, while the Blog module does. Page content is stored unsanitized in the database and rendered as raw HTML on the public frontend via echo $pageInfo->content. An authenticated admin with page-editing privileges can inject arbitrary JavaScript that executes in the browser of every public visitor viewing the page. This vulnerability is fixed in 0.31.4.0.

CWE	CWE-79
Vendor	ci4-cms-erp
Product	ci4ms
Published	Apr 8, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for ci4-cms-erp ci4ms

Be the first to know when new medium vulnerabilities affecting ci4-cms-erp ci4ms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

ci4-cms-erp / ci4ms

< 0.31.4.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fjpj-6qcq-6pw2