CVE-2026-39392

CI4MS is a CodeIgniter 4-based CMS skeleton. Prior to 0.31.4.0, the Pages module does not apply html_purify to content on create/update, so page content is stored unsanitized and rendered as raw HTML on the public frontend. An authenticated admin with page-editing privileges can inject arbitrary ...

CVE-2026-39391 CI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into a...

CVE-2026-39391

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into a...

CVE-2026-39391 CI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into a...

CVE-2026-39391

CVE-2026-39391 affects CI4MS, a CodeIgniter 4-based CMS skeleton. Before 0.31.4.0, the blacklist (ban) note parameter stored in the database was rendered into an HTML data-note attribute without escaping, enabling a stored XSS when an admin with blacklist privileges views the user management page...

CVE-2026-39390 CI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting cMap field in compInfosPost sanitizes input using striptags with an allowlist and regex-based removal of...

CVE-2026-39390

CVE-2026-39390 affects CI4MS (CodeIgniter 4-based CMS skeleton). Before version 0.31.4.0, the Google Maps iframe setting (cMap) in compInfosPost() sanitizes input with strip_tags() for an allowlist and regex stripping of on\w+ handlers, but the srcdoc attribute is not filtered, allowing an attac...

CVE-2026-39389

Summary: CVE-2026-39389 affects CI4MS (CodeIgniter 4 CMS skeleton) via a hidden-items authorization bypass in the Fileeditor module. Public docs show that hiddenItems (e.g., .env, composer.json, vendor/, etc.) are enforced only in listing; readFile() allows reading any file under ROOTPATH, and sa...

CVE-2026-39389

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0...

CVE-2026-39389 CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0...

CVE-2026-39389 CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0...

PT-2026-31320

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.4.0 Description The install route guard in CI4MS relies on a cache check and the existence of a .env file to prevent access to the setup wizard after installation. If the database is temporarily unreachable when th...

PT-2026-31321

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.4.0 Description CI4MS, a CodeIgniter 4-based CMS, is susceptible to arbitrary configuration injection via the .env file. The Install::index controller does not validate the host POST parameter before passing it to...

PT-2026-31317

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting cMap field in compInfosPost sanitizes input using strip tags with an allowlist and regex-based removal of...

PT-2026-31316

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0...

PT-2026-31319

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html purify validation rule to content fields during create and update operations, while the Blog...

PT-2026-31318

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist ban note parameter in UserController::ajax blackList post is stored in the database without sanitization and rendered into...

CVE-2026-32712

Open Source Point of Sale (OSPOS) has a Stored XSS vulnerability in the Daily Sales page prior to version 3.4.3. The issue arises from the customer_name field being configured with escape: false in the bootstrap-table setup, causing customer names to render as raw HTML. With customer management p...

CVE-2026-39380

Open Source Point of Sale (OSPOS) has a Stored XSS in the Stock Locations configuration. Before version 3.4.3, the stock_location input is not properly sanitized, allowing injected JavaScript to be stored in the database and executed when viewing the Employees interface. Affected product: OSPOS (...

CVE-2026-34989

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name e.g., full name / username. An...