CVE-2026-34561

MediumPublic PoC

Published: 01 April 2026

Published

01 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0005 15.9th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34561 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 4.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the failure to sanitize user-controlled input in social media configuration fields before server-side storage.

SI-15 Information Output Filtering good match

prevent

Prevents XSS execution by requiring output filtering and encoding when rendering the stored unsanitized configuration data.

SI-2 Flaw Remediation good match

prevent

Ensures timely flaw remediation by applying the patch in CI4MS version 0.31.0.0 to fix the stored XSS vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Stored XSS in admin settings allows persistent script injection that executes in victims' browsers, directly enabling browser session hijacking (T1185) and theft of web session cookies (T1539) without requiring additional user interaction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Social Media Management. Multiple configuration…

fields, including Social Media and Social Media Link, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.

Deeper analysisAI

CVE-2026-34561 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in CI4MS, a CodeIgniter 4-based CMS skeleton providing a production-ready, modular architecture with RBAC authorization and theme support. The flaw affects versions prior to 0.31.0.0 and occurs in the System Settings – Social Media Management section, where multiple configuration fields such as Social Media and Social Media Link fail to properly sanitize user-controlled input. This input is stored server-side and later rendered without adequate output encoding, enabling script injection.

An attacker with high privileges (PR:H), such as an authenticated administrator with access to the System Settings, can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). Successful exploitation allows limited impacts: low confidentiality (C:L), integrity (I:L), and availability (A:L) effects within unchanged scope (S:U), as rated by the CVSS v3.1 base score of 4.7. The injected payload persists server-side and executes when the affected fields are rendered in the application.

The issue has been addressed in CI4MS version 0.31.0.0, as detailed in the project's GitHub release notes (https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0) and security advisory (https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gcfj-cf7j-vwgj). Security practitioners should urge users to upgrade to the patched version to mitigate the vulnerability.

Details

CWE(s): CWE-79

Affected Products

ci4-cms-erp

ci4ms

≤ 0.31.0.0

CVEs Like This One

CVE-2026-34560Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-35035Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-27599Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34989Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34559Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34564Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34566Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34563Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34568Same product: Ci4-Cms-Erp Ci4Ms

CVE-2026-34569Same product: Ci4-Cms-Erp Ci4Ms

References

https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
Release Notes · security-advisories@github.com
https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gcfj-cf7j-vwgj
Exploit, Vendor Advisory · security-advisories@github.com