CVE-2026-39391
Received Received - Intake
Stored XSS in CI4MS UserController Allows Admin Hijack

Publication date: 2026-04-08

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page. This vulnerability is fixed in 0.31.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39391
EUVD
EUVD-2026-20484
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ci4-cms-erp ci4ms to 0.31.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker with blacklist privileges to inject arbitrary JavaScript code that executes in the browsers of other admins, potentially leading to session hijacking and privilege escalation.

Such unauthorized access and session hijacking can compromise the confidentiality and integrity of administrative accounts, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of sensitive data and secure access controls.

However, the provided information does not explicitly detail the direct effects on compliance with these standards.

Executive Summary

CVE-2026-39391 is a stored Cross-Site Scripting (XSS) vulnerability in the ci4-cms-erp/ci4ms package (versions up to 0.31.3.0). It occurs because the blacklist (ban) note parameter in the UserController::ajax_blackList_post() method is accepted without proper sanitization or escaping and stored directly in the database.

When the user management page is rendered, this note is injected into an HTML data-note attribute inside a button element without escaping, allowing an attacker with blacklist privileges to inject arbitrary JavaScript code.

This malicious script executes in the browsers of other admins who view the page, potentially leading to session hijacking and privilege escalation.

Impact Analysis

This vulnerability allows an attacker with blacklist privileges to inject malicious JavaScript that executes in the browsers of other administrators viewing the user management page.

The impact includes session hijacking of other admins, including superadmins, which can lead to privilege escalation and unauthorized access to administrative functions.

Because the vulnerability is persistent and triggered whenever the user management page is viewed, it poses a continuous risk to the security of the administrative environment.

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious JavaScript code injected into the blacklist (ban) note parameter stored in the database and rendered in the user management page.

Specifically, you can inspect the database entries for the blacklist notes to see if any contain suspicious or unescaped JavaScript code.

Additionally, monitoring HTTP POST requests to the `UserController::ajax_blackList_post()` endpoint for unusual or suspicious payloads in the note parameter can help detect exploitation attempts.

On the client side, you can use browser developer tools to inspect the user management page's HTML, looking for unescaped script code inside the `data-note` attribute of blacklist buttons.

Suggested commands or steps include:

  • Query the database for blacklist notes containing script tags or suspicious content, e.g., using SQL: `SELECT status_message FROM bans WHERE status_message LIKE '%<script>%'`
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture POST requests to the blacklist endpoint and analyze the note parameter.
  • Use curl or similar tools to test the blacklist POST endpoint with benign and malicious payloads to see if the input is stored and rendered without escaping.
  • Inspect the user management page in a browser and check the HTML elements for unescaped JavaScript in the `data-note` attribute.
Mitigation Strategies

The immediate mitigation step is to upgrade the ci4-cms-erp/ci4ms package to version 0.31.4.0 or later, where the vulnerability is fixed.

The fix involves applying proper escaping to the blacklist note parameter when rendering it into the HTML attribute, preventing injection of malicious scripts.

Until the upgrade can be applied, consider restricting or disabling blacklist privileges to trusted administrators only, to reduce the risk of malicious input.

Additionally, enabling Content Security Policy (CSP) and other secure HTTP headers can help mitigate the impact of any injected scripts.

Review and sanitize any existing blacklist notes in the database to remove potentially malicious scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39391. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart