Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-39391

CVE-2026-39391: CI4MS CodeIgniter CMS XSS Vulnerability

CVE-2026-39391 is a stored XSS flaw in CI4MS CodeIgniter CMS that allows admins to inject malicious scripts into user management pages. This post covers technical details, affected versions, impact, and mitigation steps.

Published: April 10, 2026

CVE-2026-39391 Overview

CVE-2026-39391 is a stored Cross-Site Scripting (XSS) vulnerability affecting CI4MS, a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitization and rendered into an HTML data-note attribute without proper escaping. This allows an admin with blacklist privileges to inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page.

Critical Impact

An authenticated administrator with blacklist privileges can achieve stored XSS, enabling session hijacking, privilege abuse, and administrative account compromise within the CMS.

Affected Products

  • CI4MS versions prior to 0.31.4.0
  • CodeIgniter 4-based CMS installations using the vulnerable UserController module
  • Systems with RBAC configurations allowing blacklist privileges

Discovery Timeline

  • 2026-04-08 - CVE-2026-39391 published to NVD
  • 2026-04-08 - Last updated in NVD database

Technical Details for CVE-2026-39391

Vulnerability Analysis

This stored XSS vulnerability (CWE-79) exists in the CI4MS user management functionality. The flaw occurs because user-supplied input in the blacklist note parameter is not properly sanitized before being stored in the database and is subsequently rendered into an HTML attribute without output encoding. The attack surface is limited to authenticated administrators who have been granted blacklist privileges, making this a privilege escalation vector within the administrative panel rather than an externally exploitable vulnerability.

The vulnerability requires user interaction—another administrator must view the user management page where the malicious note is displayed. When rendered, the injected JavaScript executes within the victim's browser context, potentially allowing the attacker to steal session tokens, perform actions on behalf of the victim administrator, or further compromise the CMS.

Root Cause

The root cause is improper input validation and output encoding in the UserController::ajax_blackList_post() function. The blacklist note parameter is accepted from user input without sanitization and stored directly in the database. When the user management page retrieves and displays this data, the note content is inserted into an HTML data-note attribute without escaping special characters, allowing script injection.

Attack Vector

The attack vector is network-based and requires an authenticated attacker with administrative blacklist privileges. The attacker crafts a malicious JavaScript payload within the note field when blacklisting a user. This payload is stored persistently in the database. When any other administrator navigates to the user management interface and views the blacklisted user entry, the malicious script executes in their browser session. This enables session hijacking, credential theft, or manipulation of administrative functions on behalf of the victim.

The vulnerability exploits the trust relationship between administrators and the absence of content security policies or output encoding in the data attribute rendering logic. An attacker could inject payloads designed to exfiltrate session cookies, create new administrative accounts, or modify system configurations.

Detection Methods for CVE-2026-39391

Indicators of Compromise

  • Unusual JavaScript code patterns in database fields associated with user blacklist notes
  • Unexpected <script> tags, event handlers (e.g., onerror, onload), or encoded payloads in user management data
  • Session anomalies indicating potential session hijacking of administrative accounts
  • Audit log entries showing blacklist operations with suspicious note content

Detection Strategies

  • Implement database query monitoring to detect malicious script patterns in the blacklist notes table
  • Deploy Web Application Firewalls (WAF) with XSS detection signatures to identify injection attempts
  • Configure Content Security Policy (CSP) headers to prevent inline script execution and report violations
  • Review administrative audit logs for unusual blacklist activity or modifications

Monitoring Recommendations

  • Enable verbose logging for the UserController::ajax_blackList_post() endpoint
  • Monitor for CSP violation reports indicating attempted XSS exploitation
  • Set up alerts for database writes containing HTML or JavaScript syntax in note fields
  • Implement real-time session monitoring to detect session token anomalies

How to Mitigate CVE-2026-39391

Immediate Actions Required

  • Upgrade CI4MS to version 0.31.4.0 or later immediately
  • Audit existing blacklist note entries in the database for malicious content
  • Implement Content Security Policy headers to mitigate XSS impact
  • Review and restrict blacklist privileges to only essential administrative users

Patch Information

The vulnerability is fixed in CI4MS version 0.31.4.0. The patch implements proper input sanitization for the blacklist note parameter and ensures appropriate output encoding when rendering the data into HTML attributes. Organizations should update to the patched version as the primary remediation measure. For detailed patch information, refer to the GitHub Security Advisory.

Workarounds

  • Implement server-side input validation to strip or encode HTML entities from note parameters before database storage
  • Apply output encoding using CodeIgniter's esc() helper function when rendering user-supplied data in templates
  • Deploy a Web Application Firewall with XSS filtering rules as a temporary protection layer
  • Restrict blacklist privileges to a minimal set of trusted administrators until the patch is applied

If immediate patching is not possible, manually review and sanitize the UserController::ajax_blackList_post() function to ensure proper escaping. Implement the following defensive measures in your CodeIgniter 4 configuration:

php
// In app/Config/ContentSecurityPolicy.php
// Enable strict CSP to mitigate XSS impact
public $scriptSrc = "'self'";
public $reportOnly = false;

// In templates rendering user data
// Always use esc() helper for output encoding
<?= esc($note, 'attr') ?>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeXSS
  • Vendor/TechCi4ms
  • SeverityMEDIUM
  • CVSS Score4.8
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityLow
  • AvailabilityNone
  • CWE References
  • CWE-79
  • Technical References
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-39392: CI4MS CodeIgniter CMS XSS Vulnerability
  • CVE-2026-34571: CI4MS Backend Stored XSS Vulnerability
  • CVE-2026-34567: CI4MS CodeIgniter CMS XSS Vulnerability
  • CVE-2026-34563: CI4MS CMS Stored XSS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English