CVE-2026-34557
Published: 30 March 2026
Summary
CVE-2026-34557 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of user-controlled inputs to prevent injection of malicious JavaScript payloads into group and role management fields.
SI-15 mandates filtering and encoding of outputs in administrative views to block execution of stored malicious JavaScript payloads.
SI-2 ensures timely patching of the specific flaw in input sanitization and output encoding, as fixed in CI4MS version 0.31.0.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS vulnerability directly enables injection and execution of arbitrary JavaScript in administrative user browser contexts via unsanitized input fields.
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within group and role management functionality. Multiple input fields…
more
(three distinct group-related fields) can be injected with malicious JavaScript payloads, which are then stored server-side. These stored payloads are later rendered unsafely within privileged administrative views without proper output encoding, leading to stored cross-site scripting (XSS) within the role and permission management context. This issue has been patched in version 0.31.0.0.
Deeper analysisAI
CVE-2026-34557 is a stored cross-site scripting (XSS) vulnerability (CWE-79) affecting CI4MS, a CodeIgniter 4-based CMS skeleton that provides a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the group and role management functionality. Malicious JavaScript payloads can be injected into three distinct group-related input fields, which are stored server-side and later rendered unsafely without proper output encoding in privileged administrative views, leading to stored XSS in the role and permission management context.
The vulnerability can be exploited by an attacker with low privileges (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). It carries a CVSS v3.1 base score of 9.1 due to a change in scope (S:C), high confidentiality impact (C:H), and low impacts on integrity (I:L) and availability (A:L). Exploitation enables execution of arbitrary JavaScript in the context of administrative users viewing affected role and permission management interfaces.
The vulnerability has been patched in CI4MS version 0.31.0.0. Security advisories recommend upgrading to this version or later to mitigate the issue. Additional details are available in the GitHub security advisory at https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-rpjr-985c-qhvm.
Details
- CWE(s)