CVE-2026-27599: ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

March 30, 2026 (updated April 27, 2026)

The application fails to properly sanitize user-controlled input within System Settings – Mail Settings. Several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding.

Unlike public-facing XSS that executes on landing pages, this vulnerability executes immediately on the same settings page. The injected payload breaks out of the HTML attribute context and is interpreted by the browser when rendered, resulting in same-page DOM-based XSS.

This represents different functionality and a separate vulnerability from landing-page injection.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-27599 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →