Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html_purify validation rule to content fields during create and update operations, while the Blog module does. Page content is stored unsanitized in the database and rendered as raw HTML on the public frontend via echo $pageInfo->content. An authenticated admin with page-editing privileges can inject arbitrary JavaScript that executes in the browser of every public visitor viewing the page. This vulnerability is fixed in 0.31.4.0.
Published: 2026-04-08
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting that allows a privileged administrator to insert JavaScript that runs in the browsers of all public visitors to the affected page
Action: Immediate Patch
AI Analysis

Impact

In CI4MS, a CodeIgniter 4‑based CMS skeleton, page content is stored in the database without applying the html_purify validation rule in the Pages module before version 0.31.4.0. When a page is displayed, the content is echoed directly as raw HTML in the public frontend. An authenticated administrator with page‑editing privileges can therefore embed arbitrary JavaScript into the page. When visitors load the page, the injected script executes in their browsers.

Affected Systems

Vulnerable installations of the ci4ms CMS from ci4‑cms‑erp that use the Pages module and are running any release prior to 0.31.4.0 are affected. Administrators who have the ability to edit pages are the only users able to create the vulnerable content.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, reflecting that exploitation requires authenticated access and leads to client‑side impact only. EPSS data is unavailable, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting that exploitation is either not yet documented or limited. The likely attack vector is inferred to be an authenticated administrator with page‑editing privileges; after injecting the script, the malicious code is served to all public visitors. The risk is mitigated by upgrading to version 0.31.4.0 or newer, or by removing page‑editing rights from administrators if an upgrade cannot be performed immediately.

Generated by OpenCVE AI on April 8, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ci4ms to version 0.31.4.0 or later.

Generated by OpenCVE AI on April 8, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fjpj-6qcq-6pw2 CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization
History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html_purify validation rule to content fields during create and update operations, while the Blog module does. Page content is stored unsanitized in the database and rendered as raw HTML on the public frontend via echo $pageInfo->content. An authenticated admin with page-editing privileges can inject arbitrary JavaScript that executes in the browser of every public visitor viewing the page. This vulnerability is fixed in 0.31.4.0.
Title CI4MS has Stored XSS in Pages Content Due to Missing html_purify Sanitization
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T16:05:26.652Z

Reserved: 2026-04-06T22:06:40.516Z

Link: CVE-2026-39392

cve-icon Vulnrichment

Updated: 2026-04-08T16:05:23.765Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T15:16:14.057

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39392

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:19Z

Weaknesses