CVE-2026-39390
Stored XSS via srcdoc iframe Injection in CI4MS CMS
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ci4-cms-erp | ci4ms | to 0.31.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39390 is a stored Cross-Site Scripting (XSS) vulnerability in the Google Maps iframe setting (cMap field) of the ci4-cms-erp/ci4ms package. The vulnerability occurs because the input sanitization uses PHP's strip_tags() function with an allowlist permitting only the <iframe> tag and removes event handler attributes starting with "on" via regex. However, the srcdoc attribute of the iframe, which is not an event handler, bypasses these filters.
An attacker with authenticated admin privileges and update rights on the Settings module can inject an <iframe> element with a srcdoc attribute containing HTML-entity-encoded JavaScript payloads. Since the sanitization does not decode HTML entities and does not block srcdoc, the malicious script passes through and is stored.
When this iframe is rendered on the frontend for unauthenticated visitors, the browser decodes the srcdoc content and executes the embedded JavaScript in the context of the parent page. Because the iframe with srcdoc and no sandbox attribute inherits the parent document's origin, the injected script gains full access to the parent page's DOM, cookies (except HttpOnly), and session.
This allows the attacker to perform actions such as session hijacking, credential theft (e.g., injecting fake login forms or phishing redirects), and scope escalation from the trusted admin backend to all unauthenticated frontend users.
The vulnerability is fixed by replacing the regex-based attribute blocklist with a strict allowlist of safe iframe attributes and restricting the src attribute to only HTTPS URLs, preventing dangerous attributes like srcdoc or malicious src values.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with admin privileges to inject malicious JavaScript that executes in the context of all unauthenticated frontend visitors.
- Session hijacking: The attacker can steal session cookies (unless HttpOnly) and impersonate users.
- Credential theft: The attacker can inject fake login forms or phishing redirects to steal user credentials.
- Scope escalation: The attacker can escalate privileges from the trusted admin backend to affect all frontend users.
- Compromise of frontend user data and interactions due to execution of arbitrary JavaScript in the parent page context.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Google Maps iframe setting (cMap field) in the Settings module contains an <iframe> element with a srcdoc attribute that includes HTML-entity-encoded JavaScript payloads.
Since the vulnerability involves stored Cross-Site Scripting (XSS) via the srcdoc attribute, detection involves inspecting the backend settings for suspicious iframe srcdoc content and monitoring frontend pages for unexpected script execution.
A practical approach is to query the backend settings database or configuration files for iframe tags containing the srcdoc attribute.
- Use a command or script to search for the srcdoc attribute in the stored Google Maps iframe settings, for example, using grep on configuration files or database dumps: grep -i 'srcdoc' <file-or-dump>
- Monitor frontend HTTP responses for unexpected script execution or injected iframes by capturing traffic with tools like curl or browser developer tools.
- Perform a POST request as an authenticated admin to the backend/settings/compInfos endpoint with a test payload containing an iframe with srcdoc to verify if the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the ci4-cms-erp/ci4ms package to version 0.31.4.0 or later, where the vulnerability is fixed.
The fix involves replacing the regex-based attribute blocklist with a strict allowlist of safe iframe attributes and restricting the src attribute to only HTTPS URLs, effectively blocking dangerous attributes like srcdoc.
Until the upgrade can be applied, restrict admin access to trusted users only, as the vulnerability requires admin update rights to exploit.
Additionally, review and sanitize any existing iframe settings in the backend to remove any iframe elements containing the srcdoc attribute or suspicious payloads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-39390 is a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker with admin privileges to inject malicious JavaScript into the frontend context, potentially leading to session hijacking and credential theft.
Such unauthorized access to user sessions and credentials can lead to exposure of personal data, which may violate data protection regulations like GDPR and HIPAA that require safeguarding user information and preventing unauthorized access.
Therefore, this vulnerability could negatively impact compliance with these standards by enabling attackers to compromise confidentiality and integrity of user data through exploitation of the XSS flaw.