CVE-2026-27599 - Vulnerability Details

- CI4MS: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Mail Settings. Several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.

Published: 2026-03-30

Score: 4.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

CI4MS is a CodeIgniter 4‑based CMS skeleton that stores configuration values for mail settings without proper sanitization. When an attacker can inject malicious JavaScript into fields such as Mail Server or Email Password, those values are stored server‑side and later rendered in the admin interface. When an administrator or another privileged user views the configuration page, the injected script executes in the victim’s browser, creating a stored DOM XSS flaw that can hijack sessions, manipulate the UI, and grant the attacker full platform access or a higher privilege level.

Affected Systems

The flaw affects all installations of the ci4-cms-erp CI4MS product running a version prior to 0.31.0.0. Any system that allows users with write permission to access the System Settings – Mail Settings page is at risk, regardless of deployment environment or hosting platform.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity, and the vulnerability is not listed in CISA’s KEV catalog. EPSS data is not available. Based on the description, it is inferred that the attack vector requires an authenticated request from a user who can edit mail settings. Successful exploitation results in client‑side JavaScript execution that can lead to session hijacking, privilege escalation, and full platform compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ci4-cms-erp

ci4ms

affected

Version	Status	Constraints
`< 0.31.0.0`	affected	—

No data.

Vendor Product Confidence Versions

Ci4-cms-erp

Ci4ms

100%

Version	Status	Scheme	Platform
`[0,0.31.0.0)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade CI4MS to version 0.31.0.0 or later as delivered by the vendor.
Restrict access to the System Settings – Mail Settings page to administrator accounts only.
Delete any previously stored malicious values from mail configuration fields.
Implement input validation or output encoding on all configuration fields to prevent future injections.
Monitor logs for unauthorized configuration changes and abnormal browser activity.

Generated by OpenCVE AI on March 31, 2026 at 06:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-66m2-v9v9-95c3	ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-66m2-v9v9-95c3

History

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ci4-cms-erp Ci4-cms-erp ci4ms
Vendors & Products		Ci4-cms-erp Ci4-cms-erp ci4ms

Tue, 31 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Mail Settings. Several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.
Title		CI4MS: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Weaknesses		CWE-79
References		https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-66m2-v9v9-95c3
Metrics		cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

Ci4-cms-erp Ci4ms

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-30T20:24:08.968Z

Updated: 2026-03-30T20:24:08.968Z

Reserved: 2026-02-20T19:43:14.602Z

Link: CVE-2026-27599

Vulnrichment

No data.

NVD

Status : Undergoing Analysis

Published: 2026-03-30T21:17:08.573

Modified: 2026-04-01T14:24:21.833

Link: CVE-2026-27599

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-31T20:40:11Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object