CVE-2026-27599 (GCVE-0-2026-27599)

Vulnerability from cvelistv5 – Published: 2026-03-30 20:24 – Updated: 2026-04-02 14:08

Title

CI4MS: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Mail Settings. Several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.

Severity ?

4.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

https://github.com/ci4-cms-erp/ci4ms/security/adv…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	ci4-cms-erp	ci4ms	Affected: < 0.31.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27599",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-02T14:08:02.878687Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T14:08:29.933Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ci4ms",
          "vendor": "ci4-cms-erp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.31.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings \u2013 Mail Settings. Several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T20:24:08.968Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-66m2-v9v9-95c3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-66m2-v9v9-95c3"
        }
      ],
      "source": {
        "advisory": "GHSA-66m2-v9v9-95c3",
        "discovery": "UNKNOWN"
      },
      "title": "CI4MS: System Settings (Mail Settings) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27599",
    "datePublished": "2026-03-30T20:24:08.968Z",
    "dateReserved": "2026-02-20T19:43:14.602Z",
    "dateUpdated": "2026-04-02T14:08:29.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27599\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-30T21:17:08.573\",\"lastModified\":\"2026-04-06T17:42:14.267\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings \u2013 Mail Settings. Several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.\"},{\"lang\":\"es\",\"value\":\"CI4MS es un esqueleto de CMS basado en CodeIgniter 4 que ofrece una arquitectura modular lista para producci\u00f3n con autorizaci\u00f3n RBAC y soporte de temas. Antes de la versi\u00f3n 0.31.0.0, la aplicaci\u00f3n no logra sanear correctamente la entrada controlada por el usuario dentro de Configuraci\u00f3n del Sistema \u2013 Configuraci\u00f3n de Correo. Varios campos de configuraci\u00f3n, incluyendo Servidor de Correo, Puerto de Correo, Direcci\u00f3n de Correo Electr\u00f3nico, Contrase\u00f1a de Correo Electr\u00f3nico, Protocolo de Correo y configuraciones TLS, aceptan entrada controlada por el atacante que se almacena en el lado del servidor y luego se renderiza sin una codificaci\u00f3n de salida adecuada. Este problema ha sido parcheado en la versi\u00f3n 0.31.0.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.2,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.31.0.0\",\"matchCriteriaId\":\"805F6B8A-9324-4CA4-BADE-439CC15DA14C\"}]}]}],\"references\":[{\"url\":\"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-66m2-v9v9-95c3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27599\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-02T14:08:02.878687Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-02T14:08:26.301Z\"}}], \"cna\": {\"title\": \"CI4MS: System Settings (Mail Settings) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS\", \"source\": {\"advisory\": \"GHSA-66m2-v9v9-95c3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"ci4-cms-erp\", \"product\": \"ci4ms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.31.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-66m2-v9v9-95c3\", \"name\": \"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-66m2-v9v9-95c3\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings \\u2013 Mail Settings. Several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-30T20:24:08.968Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-27599\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-02T14:08:29.933Z\", \"dateReserved\": \"2026-02-20T19:43:14.602Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-30T20:24:08.968Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-27599

Vulnerability from fkie_nvd - Published: 2026-03-30 21:17 - Updated: 2026-04-06 17:42

Severity ?

4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-66m2-v9v9-95c3	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	ci4-cms-erp	ci4ms	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "805F6B8A-9324-4CA4-BADE-439CC15DA14C",
              "versionEndExcluding": "0.31.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings \u2013 Mail Settings. Several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0."
    },
    {
      "lang": "es",
      "value": "CI4MS es un esqueleto de CMS basado en CodeIgniter 4 que ofrece una arquitectura modular lista para producci\u00f3n con autorizaci\u00f3n RBAC y soporte de temas. Antes de la versi\u00f3n 0.31.0.0, la aplicaci\u00f3n no logra sanear correctamente la entrada controlada por el usuario dentro de Configuraci\u00f3n del Sistema \u2013 Configuraci\u00f3n de Correo. Varios campos de configuraci\u00f3n, incluyendo Servidor de Correo, Puerto de Correo, Direcci\u00f3n de Correo Electr\u00f3nico, Contrase\u00f1a de Correo Electr\u00f3nico, Protocolo de Correo y configuraciones TLS, aceptan entrada controlada por el atacante que se almacena en el lado del servidor y luego se renderiza sin una codificaci\u00f3n de salida adecuada. Este problema ha sido parcheado en la versi\u00f3n 0.31.0.0."
    }
  ],
  "id": "CVE-2026-27599",
  "lastModified": "2026-04-06T17:42:14.267",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-30T21:17:08.573",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-66m2-v9v9-95c3"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-66M2-V9V9-95C3

Vulnerability from github – Published: 2026-03-30 16:19 – Updated: 2026-03-31 18:39

Summary

ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Details

Summary

Vulnerability: Stored DOM XSS via System Settings – Mail Settings (Same-Page Attribute Breakout & Persistent Payload Injection)

Stored Cross-Site Scripting via Unsanitized Mail Settings Configuration Fields

Description

The application fails to properly sanitize user-controlled input within System Settings – Mail Settings. Several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding.

Unlike public-facing XSS that executes on landing pages, this vulnerability executes immediately on the same settings page. The injected payload breaks out of the HTML attribute context and is interpreted by the browser when rendered, resulting in same-page DOM-based XSS.

This represents different functionality and a separate vulnerability from landing-page injection.

Example Affected Fields

Mail Server: test
Mail Port: 465
Email Address: simple@gmail.com
Email Password: (any input)
Mail Protocol: SMTP
Domain: simple@domain.com

Affected Functionality

System Settings – Mail Settings configuration
Same-page rendering of user-controlled input fields
DOM attribute injection within form inputs
Storage and retrieval of mail configuration values

Attack Scenario

An attacker injects a malicious JavaScript payload into one or more Mail Settings fields.
The payload breaks out of the HTML attribute context.
The application stores and re-renders the payload without sanitization or encoding.
The payload executes immediately on the same settings page.
The script executes in the browser context of the authenticated user managing Mail Settings.

Impact

Persistent Stored XSS
Immediate Same-Page DOM XSS execution
Execution of arbitrary JavaScript in victims’ browsers
Administrative privilege escalation
Full administrator account takeover
Full account takeover across all roles
Full compromise of the entire platform

Endpoints: - /backend/settings/ (Mail Settings)

Steps To Reproduce (POC)

Navigate to System Settings -> Mail Settings
Insert the following XSS payload into any Mail Settings field: test"><img src=1 onerror=alert()>" class="form-control" placeholder="Name" required>
Save the settings
Observe that the payload breaks out of the input attribute context
The XSS executes immediately on the same page

Remediation

Never use .html() or any innerHTML-style sinks for user-controlled input in PHP or JavaScript.
Apply proper HTML encoding and input sanitization for all configuration fields.
Enforce CSP, HttpOnly, SameSite, and Secure flags for cookies to reduce the severity of XSS and potential CSRF escalation.
Audit all other system settings fields for similar attribute injection vulnerabilities.

Ready Video POC:

https://mega.nz/file/KRNhUI6Q#NGC3Bow3RlnmdU1H2bGu1BGbpfIc-awi6IlvTp08V1s

Severity ?

4.7 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.28.6.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "ci4-cms-erp/ci4ms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.31.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-30T16:19:05Z",
    "nvd_published_at": "2026-03-30T21:17:08Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n### **Vulnerability: Stored DOM XSS via System Settings \u2013 Mail Settings (Same-Page Attribute Breakout \u0026 Persistent Payload Injection)**\n- Stored Cross-Site Scripting via Unsanitized Mail Settings Configuration Fields\n\n### Description\nThe application fails to properly sanitize user-controlled input within **System Settings \u2013 Mail Settings**. Several configuration fields, including **Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings**, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding.\n\nUnlike public-facing XSS that executes on landing pages, this vulnerability executes immediately on the same settings page. The injected payload breaks out of the HTML attribute context and is interpreted by the browser when rendered, resulting in same-page DOM-based XSS.\n\nThis represents different functionality and a separate vulnerability from landing-page injection.\n\n### Example Affected Fields\n- Mail Server: `test`\n- Mail Port: `465`\n- Email Address: `simple@gmail.com`\n- Email Password: (any input)\n- Mail Protocol: `SMTP`\n- Domain: `simple@domain.com`\n\n### Affected Functionality\n- System Settings \u2013 Mail Settings configuration\n- Same-page rendering of user-controlled input fields\n- DOM attribute injection within form inputs\n- Storage and retrieval of mail configuration values\n\n### Attack Scenario\n- An attacker injects a malicious JavaScript payload into one or more Mail Settings fields.\n- The payload breaks out of the HTML attribute context.\n- The application stores and re-renders the payload without sanitization or encoding.\n- The payload executes immediately on the same settings page.\n- The script executes in the browser context of the authenticated user managing Mail Settings.\n\n### Impact\n- Persistent Stored XSS\n- Immediate Same-Page DOM XSS execution\n- Execution of arbitrary JavaScript in victims\u2019 browsers\n- Administrative privilege escalation\n- Full administrator account takeover\n- Full account takeover across all roles\n- Full compromise of the entire platform\n\nEndpoints:\n- `/backend/settings/` (Mail Settings)\n\n## Steps To Reproduce (POC)\n1. Navigate to System Settings -\u003e Mail Settings\n2. Insert the following XSS payload into any Mail Settings field:\n`test\"\u003e\u003cimg src=1 onerror=alert()\u003e\" class=\"form-control\" placeholder=\"Name\" required\u003e`\n3. Save the settings\n4. Observe that the payload breaks out of the input attribute context\n5. The XSS executes immediately on the same page\n\n## Remediation\n- Never use .html() or any innerHTML-style sinks for user-controlled input in PHP or JavaScript.\n- Apply proper **HTML encoding and input sanitization** for all configuration fields.\n- Enforce CSP, HttpOnly, SameSite, and Secure flags for cookies to reduce the severity of XSS and potential CSRF escalation.\n- Audit all other system settings fields for similar attribute injection vulnerabilities.\n\n# Ready Video POC:\nhttps://mega.nz/file/KRNhUI6Q#NGC3Bow3RlnmdU1H2bGu1BGbpfIc-awi6IlvTp08V1s",
  "id": "GHSA-66m2-v9v9-95c3",
  "modified": "2026-03-31T18:39:50Z",
  "published": "2026-03-30T16:19:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-66m2-v9v9-95c3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27599"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ci4-cms-erp/ci4ms"
    },
    {
      "type": "WEB",
      "url": "https://mega.nz/file/KRNhUI6Q#NGC3Bow3RlnmdU1H2bGu1BGbpfIc-awi6IlvTp08V1s"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise \u0026 Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-27599 (GCVE-0-2026-27599)

FKIE_CVE-2026-27599

GHSA-66M2-V9V9-95C3

Summary

Vulnerability: Stored DOM XSS via System Settings – Mail Settings (Same-Page Attribute Breakout & Persistent Payload Injection)

Description

Example Affected Fields

Affected Functionality

Attack Scenario

Impact

Steps To Reproduce (POC)

Remediation

Ready Video POC:

Tags

Sightings

Nomenclature