Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page. This vulnerability is fixed in 0.31.4.0.
Published: 2026-04-08
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting that executes in admin browsers
Action: Patch Now
AI Analysis

Impact

A flaw in CI4MS allows an administrator with blacklist privileges to store arbitrary JavaScript in a blacklist note that is later rendered unescaped in a data‑note attribute of the user management page. This stored cross‑site scripting can be executed in the browser of any other admin who views the affected page, potentially enabling session hijacking, credential theft, or malicious content injection.

Affected Systems

The vulnerability is present in CI4MS CMS skeleton releases before version 0.31.4.0, specifically in the UserController::ajax_blackList_post() method where blacklist notes are stored without sanitization. All installations of the affected release that have admin users capable of assigning or modifying blacklist entries may be affected.

Risk and Exploitability

The CVSS score of 4.8 indicates a medium severity level. No EPSS score is available and the vulnerability is not listed in CISA's KEV catalog, suggesting that there are currently no publicly known widespread exploits. However, any attacker who can log into the admin panel with blacklist privileges can abuse the flaw, so the risk remains tangible until the fix is applied. The issue is resolvable by upgrading to 0.31.4.0 or later and is not inherently exploitable from external sources without administrative access.

Generated by OpenCVE AI on April 8, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 0.31.4.0 patch or a later release that removes the unsanitized storage of blacklist notes.

Generated by OpenCVE AI on April 8, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7cm9-v848-cfh2 CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List
History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page. This vulnerability is fixed in 0.31.4.0.
Title CI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T15:18:08.667Z

Reserved: 2026-04-06T22:06:40.516Z

Link: CVE-2026-39391

cve-icon Vulnrichment

Updated: 2026-04-08T15:18:00.203Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T15:16:13.897

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39391

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:20Z

Weaknesses