CVE-2026-39390

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.4.0

Description CI4MS is a CodeIgniter 4-based CMS skeleton. Prior to version 0.31.4.0, the Google Maps iframe setting (cMap field) in the compInfosPost() function does not properly sanitize the srcdoc attribute, allowing an attacker with admin access to inject a malicious iframe payload with HTML-entity-encoded JavaScript. This injected code executes in the context of the parent page when viewed by unauthenticated users.

Recommendations Update to version 0.31.4.0 or later.