CVE-2026-27599
Published: 30 March 2026
Summary
CVE-2026-27599 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-controlled inputs in mail settings fields to block XSS payloads before storage.
Mandates filtering and encoding of configuration outputs when rendered, preventing execution of stored XSS payloads in viewers' browsers.
Enforces least privilege to restrict high-privilege access to mail settings, reducing the attack surface for privileged users injecting XSS payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in admin settings page directly enables arbitrary JavaScript execution (T1059.007) in other admins' browsers, facilitating browser session hijacking (T1185) and theft of web session cookies (T1539) as described in the CVE impact.
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Mail Settings. Several configuration fields,…
more
including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.
Deeper analysisAI
CVE-2026-27599 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting CI4MS, a CodeIgniter 4-based CMS skeleton providing production-ready modular architecture with RBAC authorization and theme support. In versions prior to 0.31.0.0, the application fails to sanitize user-controlled input in the System Settings – Mail Settings section. Fields such as Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings accept attacker input that is stored server-side and later rendered without proper output encoding, enabling stored XSS attacks.
The vulnerability has a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L), indicating exploitation over the network with low complexity but requiring high privileges (PR:H), such as administrative access. A privileged attacker can inject malicious payloads into the mail configuration fields, which are persisted and rendered unsafely when other users, including admins, view the settings page. This allows limited execution of arbitrary JavaScript in the victim's browser context, potentially leading to low-impact confidentiality, integrity, and availability effects, such as session hijacking or minor data manipulation for authenticated viewers.
The GitHub Security Advisory (GHSA-66m2-v9v9-95c3) confirms the issue has been patched in CI4MS version 0.31.0.0, recommending immediate upgrades to mitigate the vulnerability. Security practitioners should review access controls for mail settings and implement input validation and output encoding as interim defenses.
Details
- CWE(s)