The application fails to properly sanitize user-controlled input within System Settings – Mail Settings. Several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding.
Unlike public-facing XSS that executes on landing pages, this vulnerability executes immediately on the same settings page. The injected payload breaks out of the HTML attribute context and is interpreted by the browser when rendered, resulting in same-page DOM-based XSS.
This represents different functionality and a separate vulnerability from landing-page injection.
test465[email protected]SMTP[email protected]Endpoints:
- /backend/settings/ (Mail Settings)
test"><img src=1 onerror=alert()>" class="form-control" placeholder="Name" required>https://mega.nz/file/KRNhUI6Q#NGC3Bow3RlnmdU1H2bGu1BGbpfIc-awi6IlvTp08V1s
| Score | Percentile |
|---|---|
| 0.02% | 5.94% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 9.1 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-66m2-v9v9-95c3 ↗ |
| CVE | CVE-2026-27599 ↗ |
| CWE id | Name |
|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | ci4-cms-erp/ci4ms | <= 0.28.6.0 | 0.31.0.0 | — |