What is the CVSS score of CVE-2026-39391?

CVE-2026-39391 has a CVSS 3.1 base score of 4.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-39391?

Yes, a patch is available for CVE-2026-39391. Update the affected software to the latest version immediately.

Ci4ms CVE-2026-39391

EUVD-2026-20484 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-08 GitHub_M

GHSA-7cm9-v848-cfh2

XSS Ci4ms

4.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

4.8 MEDIUM

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Apr 09, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 08, 2026 - 15:16 euvd

EUVD-2026-20484

Analysis Generated

Apr 08, 2026 - 15:16 vuln.today

CVE Published

Apr 08, 2026 - 14:30 nvd

MEDIUM 4.8

DescriptionGitHub Advisory

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page. This vulnerability is fixed in 0.31.4.0.

AnalysisAI

Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with blacklist privileges to inject arbitrary JavaScript through unsanitized note parameters, which executes in the browsers of other administrators viewing the user management page. The vulnerability requires high-privilege authenticated access and user interaction (admin viewing the affected page), limiting real-world impact despite the network-accessible attack vector.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents moderate real-world risk despite a CVSS score of 4.8 (medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An administrator with user blacklist privileges injects a malicious JavaScript payload (e.g., fetching sensitive admin data or modifying other admin accounts) into a user's blacklist note field via the UserController::ajax_blackList_post() endpoint. The payload is stored unsanitized in the database. …
Remediation	Vendor-released patch: upgrade to CI4MS 0.31.4.0 or later, which includes sanitization of the blacklist note parameter before database storage and proper HTML escaping during attribute rendering. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39391 vulnerability details – vuln.today

Back