How severe is GHSA-66m2-v9v9-95c3?

GHSA-66m2-v9v9-95c3 has a CVSS score of 9.1/10, rated CRITICAL. Immediate patching is strongly recommended.

Which packages are affected by GHSA-66m2-v9v9-95c3?

GHSA-66m2-v9v9-95c3 affects the following packages: ci4-cms-erp/ci4ms (Packagist). Ecosystems affected: Packagist.

How do I fix GHSA-66m2-v9v9-95c3?

Update ci4-cms-erp/ci4ms to 0.31.0.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-66m2-v9v9-95c3 is resolved across your whole dependency graph.

How do I detect GHSA-66m2-v9v9-95c3 in my Packagist dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for ci4-cms-erp/ci4ms. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-66m2-v9v9-95c3 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-66m2-v9v9-95c3?

O3 pinpoints whether GHSA-66m2-v9v9-95c3 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-66m2-v9v9-95c3 actively exploited in the wild?

No public exploit code has been indexed for GHSA-66m2-v9v9-95c3 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-66m2-v9v9-95c3?

GHSA-66m2-v9v9-95c3 has an EPSS (Exploit Prediction Scoring System) score of 0.4%, placing it in the 28th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-66m2-v9v9-95c3?

GHSA-66m2-v9v9-95c3 is classified as Cross-site Scripting (XSS) (CWE-79). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation. This is a high-impact weakness class that often enables remote code execution or data exposure.

When was GHSA-66m2-v9v9-95c3 published, and has it been updated?

GHSA-66m2-v9v9-95c3 was published on March 30, 2026 and was last updated on May 5, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐘 Packagist

GHSA-66m2-v9v9-95c3

CRITICAL

ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Also known asCVE-2026-27599

Published

Mar 30, 2026

Updated

May 5, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.4%probability of exploitation in next 30 days

Lower Risk28th percentile+0.33%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

🐘ci4-cms-erp/ci4ms

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Summary

Vulnerability: Stored DOM XSS via System Settings – Mail Settings (Same-Page Attribute Breakout & Persistent Payload Injection)

Stored Cross-Site Scripting via Unsanitized Mail Settings Configuration Fields

Description

The application fails to properly sanitize user-controlled input within System Settings – Mail Settings. Several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding.

Unlike public-facing XSS that executes on landing pages, this vulnerability executes immediately on the same settings page. The injected payload breaks out of the HTML attribute context and is interpreted by the browser when rendered, resulting in same-page DOM-based XSS.

This represents different functionality and a separate vulnerability from landing-page injection.

Example Affected Fields

Mail Server: test
Mail Port: 465
Email Address: [email protected]
Email Password: (any input)
Mail Protocol: SMTP
Domain: [email protected]

Affected Functionality

System Settings – Mail Settings configuration
Same-page rendering of user-controlled input fields
DOM attribute injection within form inputs
Storage and retrieval of mail configuration values

Attack Scenario

An attacker injects a malicious JavaScript payload into one or more Mail Settings fields.
The payload breaks out of the HTML attribute context.
The application stores and re-renders the payload without sanitization or encoding.
The payload executes immediately on the same settings page.
The script executes in the browser context of the authenticated user managing Mail Settings.

Impact

Persistent Stored XSS
Immediate Same-Page DOM XSS execution
Execution of arbitrary JavaScript in victims’ browsers
Administrative privilege escalation
Full administrator account takeover
Full account takeover across all roles
Full compromise of the entire platform

Endpoints:

/backend/settings/ (Mail Settings)

Steps To Reproduce (POC)

Navigate to System Settings -> Mail Settings
Insert the following XSS payload into any Mail Settings field: test"><img src=1 onerror=alert()>" class="form-control" placeholder="Name" required>
Save the settings
Observe that the payload breaks out of the input attribute context
The XSS executes immediately on the same page

Remediation

Never use .html() or any innerHTML-style sinks for user-controlled input in PHP or JavaScript.
Apply proper HTML encoding and input sanitization for all configuration fields.
Enforce CSP, HttpOnly, SameSite, and Secure flags for cookies to reduce the severity of XSS and potential CSRF escalation.
Audit all other system settings fields for similar attribute injection vulnerabilities.

Ready Video POC:

https://mega.nz/file/KRNhUI6Q#NGC3Bow3RlnmdU1H2bGu1BGbpfIc-awi6IlvTp08V1s

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🐘Packagist	`ci4-cms-erp/ci4ms`	all versions	0.31.0.0

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for ci4-cms-erp/ci4ms. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update ci4-cms-erp/ci4ms to 0.31.0.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-66m2-v9v9-95c3 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-66m2-v9v9-95c3 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-66m2-v9v9-95c3. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary ### **Vulnerability: Stored DOM XSS via System Settings – Mail Settings (Same-Page Attribute Breakout & Persistent Payload Injection)** - Stored Cross-Site Scripting via Unsanitized Mail Settings Configuration Fields ### Description The application fails to properly sanitize user-controlled input within **System Settings – Mail Settings**. Several configuration fields, including **Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings**, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. Un

O3 Security · Impact-Aware SCA

Is GHSA-66m2-v9v9-95c3 in your dependencies?

O3 detects GHSA-66m2-v9v9-95c3 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works

GHSA-66m2-v9v9-95c3

EPSS Exploitation Probability

Blast Radius

Description

Summary

Vulnerability: Stored DOM XSS via System Settings – Mail Settings (Same-Page Attribute Breakout & Persistent Payload Injection)

Description

Example Affected Fields

Affected Functionality

Attack Scenario

Impact

Steps To Reproduce (POC)

Remediation

Ready Video POC:

Affected Packages

Detection & mitigation playbook

Detect

Fix

Workarounds

How O3 protects you

Frequently Asked Questions

Is GHSA-66m2-v9v9-95c3 in your dependencies?