Cyber Resilience

CVE-2026-34562

MediumPublic PoC

Published: 01 April 2026

Published
01 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0027 19.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-34562 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 4.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-34562 is a cross-site scripting (XSS) vulnerability (CWE-79) in CI4MS, a CodeIgniter 4-based CMS skeleton providing production-ready modular architecture with RBAC authorization and theme support. The flaw affects versions prior to 0.31.0.0, where administrative configuration fields in System Settings – Company Information fail to properly sanitize user-controlled input. This input is stored server-side and later rendered without adequate output encoding, enabling script injection.

An attacker requires high privileges (PR:H), such as administrative access, to exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows injection of malicious scripts into the company information fields, which execute in the context of other users viewing the rendered settings page, resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) under CVSS 3.1 scoring of 4.7.

The issue has been addressed in CI4MS version 0.31.0.0, as detailed in the project's GitHub release notes and security advisory (GHSA-v897-c6vq-6cr3), which recommend upgrading to the patched version for mitigation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration…

more

fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stored XSS enables arbitrary JavaScript execution in victim browsers (T1059.007) via unsanitized admin config fields; as a web app vulnerability in a CMS, it facilitates exploitation of public-facing applications (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34565Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34567Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34563Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34569Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34557Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34559Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34571Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34566Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34564Same product: Ci4-Cms-Erp Ci4Ms
CVE-2026-34568Same product: Ci4-Cms-Erp Ci4Ms

Affected Assets

ci4-cms-erp
ci4ms
≤ 0.31.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation and sanitization of user-controlled inputs, directly preventing the storage of unsanitized data in administrative configuration fields.

prevent

SI-15 mandates filtering of information outputs with proper encoding, directly addressing the lack of output encoding when rendering stored company information.

prevent

SI-2 ensures timely identification, reporting, and correction of flaws like this stored XSS vulnerability through patching to version 0.31.0.0.

References