CVE-2026-34565
Published: 01 April 2026
Summary
CVE-2026-34565 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validating and sanitizing user-controlled inputs like post data before storage in Menu Management, directly preventing injection of malicious XSS payloads.
SI-15 mandates filtering and encoding information outputs when rendering stored post data in admin dashboards and public navigation menus, comprehensively mitigating stored DOM-based XSS execution.
SI-2 ensures identification and timely remediation of flaws such as this XSS vulnerability through patching to CI4MS version 0.31.0.0 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing CMS navigation and admin dashboards directly enables exploitation of public-facing web applications (T1190) and execution of attacker-controlled JavaScript in victim browsers (T1059.007), facilitating session theft and data exfiltration.
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Posts to navigation menus through the Menu…
more
Management functionality. Post-related data selected via the Posts section is stored server-side and rendered without proper output encoding. These stored values are later rendered unsafely within administrative dashboards and public-facing navigation menus, resulting in stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Deeper analysisAI
CVE-2026-34565 is a stored DOM-based cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting CI4MS, a CodeIgniter 4-based CMS skeleton that provides a production-ready, modular architecture with RBAC authorization and theme support. Versions prior to 0.31.0.0 fail to properly sanitize user-controlled input when adding Posts to navigation menus via the Menu Management functionality. Post-related data selected from the Posts section is stored server-side and rendered without proper output encoding, leading to unsafe rendering within administrative dashboards and public-facing navigation menus. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L).
Low-privileged attackers, such as authenticated users with access to the Posts and Menu Management sections, can exploit this over the network with low complexity and no user interaction. By injecting malicious payloads into Post data added to navigation menus, attackers achieve stored XSS, where scripts execute in the context of admin dashboards and public pages viewed by other users, including administrators. This enables high confidentiality impacts like session theft or sensitive data exfiltration, with limited effects on integrity and availability.
The issue has been addressed in CI4MS version 0.31.0.0. Administrators should upgrade to this version or later to mitigate the vulnerability. Additional details are available in the GitHub security advisory at https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xgh5-w62m-8mpr and release notes at https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0.
Details
- CWE(s)