Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page. This vulnerability is fixed in 0.31.4.0.

INFO

Published Date :

2026-04-08T14:30:18.750Z

Last Modified :

2026-04-08T15:18:08.667Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39391 vulnerability.

Vendors Products
Ci4-cms-erp
  • Ci4ms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39391.

URL Resource
https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-7cm9-v848-cfh2 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact