GHSA-GQR2-7HCG-RCHF CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule

Summary The Pages backend module registers the htmlpurify validation rule on language-keyed page content but persists the raw, un-purified POST value into the database. The public renderer for pages Home::index → app/Views/templates/default/pages.php emits $pageInfo-content without esc, yielding...

CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule

Summary The Pages backend module registers the htmlpurify validation rule on language-keyed page content but persists the raw, un-purified POST value into the database. The public renderer for pages Home::index → app/Views/templates/default/pages.php emits $pageInfo-content without esc, yielding...

GHSA-2M69-JMVH-6CHR CI4MS: Stored XSS in Blog Content via Broken `html_purify` Validation Rule

Summary The custom htmlpurify validation rule used to sanitize blog post bodies relies on by-reference mutation ?string &$str, but CodeIgniter 4's validator passes a local copy of the value, so the sanitized text is silently discarded. The Blog controller writes $lanData'content' directly into...

PT-2026-41770

Summary The Pages backend module registers the html purify validation rule on language-keyed page content but persists the raw, un-purified POST value into the database. The public renderer for pages Home::index → app/Views/templates/default/pages.php emits $pageInfo-content without esc, yielding...

EUVD-2026-20485

CI4MS has stored XSS in Pages Content Due to Missing htmlpurify Sanitization...

CVE-2026-39392

CI4MS is a CodeIgniter 4-based CMS skeleton. Prior to 0.31.4.0, the Pages module does not apply html_purify to content on create/update, so page content is stored unsanitized and rendered as raw HTML on the public frontend. An authenticated admin with page-editing privileges can inject arbitrary ...

egg-html-purify (>=1.0.0 <=1.0.2), think-purify (>=1.0.0 <=1.1.4) potentially affected by unknown CVE via html-purify (=1.1.0)

html-purify NPM version =1.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on html-purify and may be impacted: - egg-html-purify =1.0.0, =1.0.0, =1.1.4 Source cves: unknown CVE Source advisory: OSV:GHSA-5P28-63MC-CGR9...

Cross-Site Scripting bypass in html-purify

All versions of html-purify are vulnerable to cross-site scripting. The data attribute inside of object tags is not properly sanitized and allows javascript URIs leading to code execution. No fix is currently available. Consider using an alternative package until a fix is made available...

Cross-Site Scripting bypass

Overview All versions of html-purify are vulnerable to cross-site scripting. The data attribute inside of object tags is not properly sanitized and allows javascript URIs leading to code execution. Recommendation No fix is currently available. Consider using an alternative package until a fix is...