CVE-2026-39391 | THREATINT

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page. This vulnerability is fixed in 0.31.4.0.

PUBLISHED Reserved 2026-04-06 | Published 2026-04-08 | Updated 2026-04-08 | Assigner GitHub_M

MEDIUM: 4.8CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 0.31.4.0

affected

References

github.com/.../ci4ms/security/advisories/GHSA-7cm9-v848-cfh2 exploit

github.com/.../ci4ms/security/advisories/GHSA-7cm9-v848-cfh2

cve.org (CVE-2026-39391)

nvd.nist.gov (CVE-2026-39391)

Download JSON