Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.5
0.31.4.0
CVE-2026-39392 describes a cross-site scripting (XSS) vulnerability in the ci4-cms-erp/ci4ms CMS ERP system. This flaw allows an authenticated administrator with page-editing privileges to inject malicious JavaScript code that executes in the browsers of all public visitors to the affected pages. The vulnerability impacts versions of ci4-cms-erp/ci4ms up to and including 0.31.3.0, and a fix is available in version 0.31.4.0.
An attacker exploiting this XSS vulnerability can execute arbitrary JavaScript code within the context of the victim's browser. This could lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive information such as cookies and login credentials. The impact is particularly severe because the injected script affects all users who view the compromised page, potentially impacting a wide audience. Unlike the Blog module, the Pages module lacks proper HTML sanitization, making it a prime target for exploitation. This vulnerability shares similarities with other XSS flaws where unsanitized user input is directly rendered on a web page.
CVE-2026-39392 was publicly disclosed on 2026-04-08. There is no indication of this vulnerability being actively exploited in the wild at this time. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score reflects the requirement for authentication and the potential impact on all visitors viewing the affected page.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
The primary mitigation for CVE-2026-39392 is to upgrade to version 0.31.4.0 or later of ci4-cms-erp/ci4ms. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious JavaScript code in page content. Additionally, carefully review and sanitize all user-supplied input before rendering it on the frontend. While a direct workaround isn't available, restricting page editing privileges to trusted administrators can reduce the attack surface. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into a page's content and verifying that it is properly sanitized and does not execute.
Update the Pages module to version 0.31.4 or higher to mitigate the XSS vulnerability. This version implements html_purify validation on content fields, preventing the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39392 is a cross-site scripting (XSS) vulnerability in ci4-cms-erp/ci4ms versions up to 0.31.3.0, allowing authenticated admins to inject JavaScript.
You are affected if you are using ci4-cms-erp/ci4ms version 0.31.3.0 or earlier and have administrators with page editing privileges.
Upgrade to version 0.31.4.0 or later. Consider a WAF rule as a temporary mitigation.
There is no current evidence of active exploitation of CVE-2026-39392.
Refer to the official ci4-cms-erp/ci4ms project repository or website for the advisory related to CVE-2026-39392.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.