CVE-2026-34564
Published: 01 April 2026
Summary
CVE-2026-34564 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires sanitization and validation of user-controlled Page data input before storage in Menu Management to prevent injection of malicious XSS payloads.
Enforces output filtering and encoding of stored Page data when rendered in administrative interfaces and public navigation menus to block DOM-based XSS execution.
Mandates timely flaw remediation by applying the patch to CI4MS version 0.31.0.0 to eliminate the stored XSS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored DOM-based XSS in public-facing CMS directly maps to exploiting public-facing applications (T1190) and enables browser session hijacking via persistent malicious script injection for credential theft (T1185).
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Pages to navigation menus through the Menu…
more
Management functionality. Page-related data selected via the Pages section is stored server-side and rendered without proper output encoding. This stored payload is later rendered unsafely within administrative interfaces and public-facing navigation menus, leading to stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Deeper analysisAI
CVE-2026-34564 is a stored DOM-based cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting CI4MS, a CodeIgniter 4-based CMS skeleton that provides a production-ready, modular architecture with RBAC authorization and theme support. The flaw occurs prior to version 0.31.0.0 in the Menu Management functionality, where user-controlled input from Page-related data selected via the Pages section is not properly sanitized. This input is stored server-side and later rendered without adequate output encoding in administrative interfaces and public-facing navigation menus, enabling persistent script injection. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L), indicating critical severity due to its network accessibility, low attack complexity, and cross-scope impact.
An attacker with low privileges, such as an authenticated user with access to Menu Management (likely an administrative or editorial role under RBAC), can exploit this by injecting malicious payloads when adding Pages to navigation menus. The stored payload executes in the DOM for subsequent visitors, including other administrators viewing the interfaces or end-users accessing public navigation menus, without requiring further interaction. Successful exploitation allows high confidentiality impact through session hijacking, credential theft, or data exfiltration; low integrity and availability impacts may include minor page modifications or denial of functionality for affected users.
Mitigation is available via the patch in CI4MS version 0.31.0.0, as detailed in the project's GitHub release notes and security advisory (GHSA-g4pp-fhgf-8653). Security practitioners should upgrade to this version immediately, review and sanitize any existing menu configurations for malicious content, and implement output encoding best practices for user-supplied data in CMS navigation components.
Details
- CWE(s)