CVE-2026-34558
Published: 30 March 2026
Summary
CVE-2026-34558 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of user-controlled inputs to prevent storage of unsanitized JavaScript payloads in the Methods Management functionality.
SI-15 mandates filtering and encoding of information outputs rendered in administrative interfaces and navigation to block execution of stored XSS payloads.
SI-2 ensures identification, reporting, and correction of the specific flaw allowing stored DOM-based XSS, aligning with the patch in version 0.31.0.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored DOM-based XSS enables arbitrary JavaScript execution in victims' browsers (client execution) and allows low-privileged users to impact higher-privileged admin sessions via data theft and scope change.
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or managing…
more
application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are later rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). This issue has been patched in version 0.31.0.0.
Deeper analysisAI
CVE-2026-34558 is a Stored DOM-Based Cross-Site Scripting (XSS) vulnerability (CWE-79) in CI4MS, a CodeIgniter 4-based CMS skeleton providing production-ready modular architecture, RBAC authorization, and theme support. The flaw affects versions prior to 0.31.0.0 and stems from inadequate sanitization of user-controlled input in the Methods Management functionality for creating or managing application methods/pages. Attacker-supplied JavaScript payloads in multiple input fields are stored server-side without sanitization or output encoding, then rendered directly into administrative interfaces and global navigation components, enabling execution in victims' browsers. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L).
Low-privileged authenticated users (PR:L) with access to the Methods Management features can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). Successful exploitation allows attackers to inject persistent JavaScript that executes in the context of administrative interfaces and navigation for other users, achieving high confidentiality impact (C:H) through data theft such as session tokens or sensitive admin data, alongside moderate integrity (I:L) and availability (A:L) effects due to the cross-origin scope change (S:C).
The GitHub Security Advisory (GHSA-v77r-xg3p-75g7) confirms the issue has been addressed in CI4MS version 0.31.0.0, recommending immediate upgrades to mitigate the risk.
Details
- CWE(s)