CVE-2026-39392

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.4.0

Description CI4MS is a CodeIgniter 4-based CMS skeleton. Prior to version 0.31.4.0, the Pages module lacked the html purify validation rule for content fields during creation and updates, unlike the Blog module. This allowed an authenticated administrator with page-editing privileges to inject arbitrary JavaScript into page content, which was stored unsanitized in the database and rendered as raw HTML on the public frontend via echo $pageInfo->content. This could lead to session hijacking, credential theft, site defacement, or malware distribution. The vulnerability stems from the absence of the html purify rule in the Pages module's create and update methods, specifically in modules/Pages/Controllers/Pages.php at lines 82 and 130. The vulnerable content is then output without escaping in app/Views/templates/default/pages.php at line 32. The html purify custom validation rule is defined in modules/Backend/Validation/CustomRules.php and uses the HTMLPurifier library to sanitize HTML.

Recommendations Add the html purify validation rule to both the create and update methods in the Pages controller: