CVE-2026-34562
Published: 01 April 2026
Summary
CVE-2026-34562 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation and sanitization of user-controlled inputs, directly preventing the storage of unsanitized data in administrative configuration fields.
SI-15 mandates filtering of information outputs with proper encoding, directly addressing the lack of output encoding when rendering stored company information.
SI-2 ensures timely identification, reporting, and correction of flaws like this stored XSS vulnerability through patching to version 0.31.0.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables arbitrary JavaScript execution in victim browsers (T1059.007) via unsanitized admin config fields; as a web app vulnerability in a CMS, it facilitates exploitation of public-facing applications (T1190).
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration…
more
fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.
Deeper analysisAI
CVE-2026-34562 is a cross-site scripting (XSS) vulnerability (CWE-79) in CI4MS, a CodeIgniter 4-based CMS skeleton providing production-ready modular architecture with RBAC authorization and theme support. The flaw affects versions prior to 0.31.0.0, where administrative configuration fields in System Settings – Company Information fail to properly sanitize user-controlled input. This input is stored server-side and later rendered without adequate output encoding, enabling script injection.
An attacker requires high privileges (PR:H), such as administrative access, to exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows injection of malicious scripts into the company information fields, which execute in the context of other users viewing the rendered settings page, resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) under CVSS 3.1 scoring of 4.7.
The issue has been addressed in CI4MS version 0.31.0.0, as detailed in the project's GitHub release notes and security advisory (GHSA-v897-c6vq-6cr3), which recommend upgrading to the patched version for mitigation.
Details
- CWE(s)