CVE-2026-39391

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.4.0

Description CI4MS is a CodeIgniter 4-based CMS skeleton. Prior to version 0.31.4.0, the blacklist note parameter in the ajax blackList post() function within the UserController is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. This allows an administrator with blacklist privileges to inject arbitrary JavaScript that executes in the browser of any other administrator viewing the user management page.

Recommendations Update to version 0.31.4.0 or later.