CVE-2026-27599 is a cross-site scripting (XSS) vulnerability identified in ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability arises from improper neutralization of user-supplied input during web page generation, specifically within the System Settings – Mail Settings configuration interface. Several fields including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings accept input from authenticated users with high privileges but fail to sanitize or encode this input before storing it server-side and rendering it in the administrative UI. This flaw allows an attacker with administrative access to inject malicious scripts that execute in the context of other administrators viewing the settings page, potentially leading to session hijacking, privilege escalation, or manipulation of configuration data. The CVSS v3.1 base score is 4.7 (medium severity), reflecting the need for authentication with high privileges and the limited scope of impact. No known exploits have been reported in the wild. The vulnerability was addressed in ci4ms version 0.31.0.0 by implementing proper output encoding and input validation to prevent script injection.

The primary impact of this vulnerability is the potential for stored XSS attacks within the administrative interface of ci4ms installations prior to version 0.31.0.0. An attacker with high-level authenticated access can inject malicious scripts into mail configuration fields that execute when other administrators access the settings page. This can lead to theft of administrative session tokens, unauthorized actions performed with elevated privileges, or manipulation of system configurations, potentially disrupting email functionality or broader system operations. Although exploitation requires prior administrative access, the vulnerability increases risk by enabling lateral attacks among administrators and undermining trust in the CMS’s configuration integrity. Organizations relying on ci4ms for critical content management and enterprise resource planning functions may face data confidentiality breaches, integrity violations, and partial availability degradation. The absence of known exploits reduces immediate risk, but the vulnerability’s presence in production environments warrants prompt remediation to prevent targeted attacks.

Organizations should immediately upgrade ci4ms installations to version 0.31.0.0 or later, where the vulnerability has been patched with proper input sanitization and output encoding. Until upgrading is possible, restrict administrative access to trusted personnel only and monitor administrative activity logs for suspicious behavior. Implement web application firewalls (WAFs) with rules targeting XSS payloads in HTTP requests to the mail settings endpoints. Conduct thorough input validation and output encoding reviews for all administrative interfaces, especially those accepting configuration data. Employ multi-factor authentication and session management best practices to reduce the impact of potential session hijacking. Regularly audit and sanitize stored configuration data to remove any injected scripts. Finally, educate administrators about the risks of stored XSS and encourage cautious handling of configuration inputs.