CVE-2026-39390: CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting

April 8, 2026

The Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an <iframe> allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an <iframe srcdoc="..."> payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors.

References

github.com/advisories/GHSA-x3hr-cp7x-44r2
github.com/ci4-cms-erp/ci4ms
github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2
nvd.nist.gov/vuln/detail/CVE-2026-39390

Code Behaviors & Features

Detect and mitigate CVE-2026-39390 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →