CVE-2026-39392
Received Received - Intake
Stored XSS in CI4MS Pages Module via Unsanitized Content

Publication date: 2026-04-08

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html_purify validation rule to content fields during create and update operations, while the Blog module does. Page content is stored unsanitized in the database and rendered as raw HTML on the public frontend via echo $pageInfo->content. An authenticated admin with page-editing privileges can inject arbitrary JavaScript that executes in the browser of every public visitor viewing the page. This vulnerability is fixed in 0.31.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39392
EUVD
EUVD-2026-20485
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ci4-cms-erp ci4ms to 0.31.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39392 is a stored Cross-Site Scripting (XSS) vulnerability in the Pages module of the ci4-cms-erp/ci4ms CMS package versions up to 0.31.3.0.

Unlike the Blog module, which sanitizes content fields using the html_purify validation rule, the Pages module does not apply this sanitization during page creation and update. As a result, raw HTML including malicious JavaScript can be stored directly in the database.

When the page content is rendered on the public frontend, it is output as raw HTML without escaping, allowing any injected JavaScript to execute in the browsers of visitors.

This vulnerability allows an authenticated admin user with page-editing privileges to inject arbitrary JavaScript code that runs for every public visitor viewing the page.

Impact Analysis

The vulnerability can lead to several security impacts for public visitors and the site itself.

  • Execution of arbitrary JavaScript in visitors' browsers.
  • Potential session hijacking by stealing cookies.
  • Credential theft through fake login forms or keylogging.
  • Site defacement by injecting malicious content.
  • Malware distribution by redirecting visitors or loading external payloads.

Additionally, in environments with multiple admins, a lower-privileged admin with page-editing rights could exploit this to compromise higher-privileged admins.

Detection Guidance

This vulnerability can be detected by checking if the Pages module in the ci4-cms-erp/ci4ms CMS is applying the html_purify validation rule to content fields during create and update operations. Specifically, you can verify whether the validation rules for 'lang.*.content' in the Pages controller include 'html_purify'.

Additionally, you can inspect the database for pages containing unsanitized HTML or suspicious <script> tags in the content fields, which indicate possible exploitation.

Suggested commands include:

  • Review the validation rules in the Pages controller source code (e.g., modules/Pages/Controllers/Pages.php) to check for the presence of 'html_purify'. For example, use grep or similar tools:
  • grep -A 10 "lang.*.content" modules/Pages/Controllers/Pages.php
  • Query the database to find pages with potential malicious scripts, for example (assuming SQL):
  • SELECT id, content FROM pages WHERE content LIKE '%<script>%';
  • Use web application scanning tools or custom scripts to detect stored XSS by submitting test payloads if you have admin access.
Mitigation Strategies

The immediate mitigation step is to update the Pages module to apply the 'html_purify' validation rule to the content fields during page creation and update operations, aligning it with the Blog module's implementation.

Specifically, modify the validation rules in the Pages controller to include:

  • 'lang.*.content' => [ 'label' => lang('Backend.content'), 'rules' => 'required|html_purify' ]

Additionally, as a defense-in-depth measure, ensure that the frontend escapes or sanitizes content output, for example by using the existing esc() helper with the 'raw' context, to prevent rendering of unsanitized HTML.

If an update or patch is available, upgrade to version 0.31.4.0 or later where this vulnerability is fixed.

Limit admin privileges to trusted users only, as exploitation requires authenticated admin access.

Compliance Impact

This vulnerability allows an authenticated admin to inject arbitrary JavaScript into page content, which executes in the browsers of public visitors. Such exploitation can lead to session hijacking, credential theft, site defacement, or malware distribution.

From a compliance perspective, this poses risks to data confidentiality and integrity, potentially violating regulations like GDPR and HIPAA that require protection of personal data and secure handling of user information.

Specifically, the unauthorized execution of malicious scripts could lead to exposure or theft of personal data (e.g., cookies or credentials), which may result in non-compliance with data protection standards mandating safeguards against such attacks.

However, exploitation requires admin-level access, which may limit the scope of compliance impact to environments where admin credentials are compromised or misused.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39392. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart