[MEDIUM] CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting

PKSA-znp8-d94g-vhxv CVE-2026-39390 GHSA-x3hr-cp7x-44r2

Affected package: ci4-cms-erp/ci4ms

Affected version: <=0.31.3.0

Reported by:
GitHub