CVE-2026-45270: CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule

May 18, 2026

The Pages backend module registers the html_purify validation rule on language-keyed page content but persists the raw, un-purified POST value into the database. The public renderer for pages (Home::index() → app/Views/templates/default/pages.php) emits $pageInfo->content without esc(), yielding stored XSS that fires for every public visitor of the affected page — including administrators. Because pages may be promoted to the site home page, the payload can be served at / and reach every visitor of the site.

References

github.com/advisories/GHSA-gqr2-7hcg-rchf
github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.9.0
github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gqr2-7hcg-rchf
nvd.nist.gov/vuln/detail/CVE-2026-45270

Code Behaviors & Features

Detect and mitigate CVE-2026-45270 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →