Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.5
0.31.4.0
CVE-2026-39390 is a cross-site scripting (XSS) vulnerability affecting CI4MS CMS ERP versions up to 0.31.3.0. An attacker can exploit this flaw to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. The vulnerability stems from insufficient sanitization of the srcdoc attribute within the Google Maps iframe configuration. A patch is available in version 0.31.4.0.
Successful exploitation of CVE-2026-39390 allows an attacker with administrative privileges to inject arbitrary HTML and JavaScript into the CI4MS CMS ERP frontend. This malicious script executes within the context of the victim's browser, granting the attacker the ability to steal cookies, redirect users to phishing sites, or modify the content of the page. The blast radius extends to all unauthenticated frontend visitors who view the affected page. While requiring admin access to initially inject the payload, the impact can be widespread, affecting numerous users. The use of HTML entity encoding allows bypassing of some basic sanitization attempts, making exploitation more straightforward.
CVE-2026-39390 was published on 2026-04-08. Severity is currently assessed as Medium (CVSS 5.5). No public proof-of-concept exploits are currently known. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of active exploitation at this time. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39390 is to upgrade CI4MS CMS ERP to version 0.31.4.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing <iframe srcdoc=" followed by suspicious JavaScript patterns. Carefully review and restrict user roles and permissions to limit the number of users with administrative access. Monitor application logs for unusual activity, particularly related to Google Maps iframe configurations. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple <iframe srcdoc="<script>alert(1)</script>"></iframe> payload in the Google Maps iframe settings and verifying that the alert does not appear.
Actualice CI4MS a la versión 0.31.4 o superior para mitigar la vulnerabilidad de XSS. Esta versión corrige el problema al sanitizar correctamente el atributo srcdoc en la configuración de Google Maps, evitando la ejecución de código malicioso.
Vulnerability analysis and critical alerts directly to your inbox.
It's a Medium severity XSS vulnerability in CI4MS CMS ERP versions up to 0.31.3.0, allowing attackers to inject malicious scripts via the Google Maps iframe.
If you are using CI4MS CMS ERP version 0.31.3.0 or earlier, you are potentially affected by this vulnerability.
Upgrade CI4MS CMS ERP to version 0.31.4.0 or later to resolve the XSS vulnerability. Consider WAF rules as a temporary workaround.
Currently, there are no known public exploits or active campaigns targeting CVE-2026-39390, but vigilance is still advised.
Refer to the official CI4MS CMS ERP security advisories and the NVD entry for CVE-2026-39390 for detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.