CVE-2026-34559

CriticalPublic PoC

Published: 01 April 2026

Published

01 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

EPSS Score 0.0002 5.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34559 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 mandates validating user-controlled input like blog tag names to block malicious JavaScript injection during creation or editing.

SI-15 Information Output Filtering good match

prevent

SI-15 enforces output filtering and encoding when rendering stored tag names on public pages and admin interfaces to prevent XSS execution.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely identification, reporting, and correction of the specific stored XSS flaw in CI4MS prior to version 0.31.0.0.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Stored XSS in public-facing CMS directly enables T1190 (exploiting the web app remotely) and facilitates T1539 (injecting JS to steal session cookies from viewing users/admins).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog tags. An attacker can…

inject a malicious JavaScript payload into the tag name field, which is then stored server-side. This stored payload is later rendered unsafely across public tag pages and administrative interfaces without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.

Deeper analysisAI

CVE-2026-34559 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in CI4MS, a CodeIgniter 4-based CMS skeleton providing modular architecture, RBAC authorization, and theme support. Prior to version 0.31.0.0, the application does not properly sanitize user-controlled input when creating or editing blog tags, allowing attackers to inject malicious JavaScript payloads into the tag name field. These payloads are stored server-side and rendered without proper output encoding on public tag pages and administrative interfaces. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L), indicating critical severity.

An authenticated attacker with low privileges (PR:L) can exploit this issue remotely over the network with low complexity and no user interaction required. By submitting a malicious JavaScript payload via the blog tag creation or editing functionality, the attacker triggers stored XSS when victims—including other users or administrators—view affected public tag pages or admin interfaces. This enables theft of sensitive data such as session cookies (high confidentiality impact), minor disruptions to integrity or availability, and potential scope expansion across the application due to changed scope (S:C).

The issue has been addressed in CI4MS version 0.31.0.0, as detailed in the project's GitHub release notes and security advisory (GHSA-4333-387x-w245). Security practitioners should upgrade to the patched version immediately and review any deployed instances for injected tags, applying input validation and output encoding as interim mitigations where patching is delayed.

Details

CWE(s): CWE-79

Affected Products

ci4-cms-erp

ci4ms

≤ 0.31.0.0

CVEs Like This One

CVE-2026-34563Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34569Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34560Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34567Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34562Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-35035Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34565Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34561Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34571Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34564Same product: Ci4-Cms-Erp Ci4Ms

References

https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
Release Notes · security-advisories@github.com
https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0