CVE-2026-27599

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0

Description CI4MS, a CodeIgniter 4-based CMS skeleton, does not properly sanitize user-controlled input within System Settings – Mail Settings. Configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and rendered without proper output encoding. This results in stored, same-page DOM-based Cross-Site Scripting (XSS). The issue allows an attacker to inject a malicious JavaScript payload into these fields, which then executes immediately on the same settings page in the browser context of the authenticated user. The affected functionality includes the System Settings – Mail Settings configuration and the rendering of user-controlled input fields. The API endpoint /backend/settings/ (Mail Settings) is involved. Vulnerable parameters include Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and Domain.

Recommendations Versions prior to 0.31.0.0 should be updated to version 0.31.0.0 or later. Apply proper HTML encoding and input sanitization for all configuration fields. Enforce CSP, HttpOnly, SameSite, and Secure flags for cookies to reduce the severity of XSS and potential CSRF escalation. Audit all other system settings fields for similar attribute injection vulnerabilities.