CVE-2026-34566
Published: 01 April 2026
Summary
CVE-2026-34566 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly mandates validation of user-controlled inputs in Page Management to block malicious JavaScript payloads from being stored server-side.
SI-15 requires filtering and encoding of information outputs in administrative lists and public views to prevent execution of stored XSS payloads.
SI-2 ensures identification, reporting, and timely patching of the sanitization flaw, as fixed in CI4MS version 0.31.0.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables injection and execution of arbitrary JavaScript payloads in victim browsers (T1059.007), directly facilitating browser session hijacking for cookie theft and data exfiltration (T1185).
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Page Management functionality when creating or editing…
more
pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side. These stored values are later rendered without proper output encoding across administrative page lists and public-facing page views, leading to stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Deeper analysisAI
CVE-2026-34566 is a stored DOM-based cross-site scripting (XSS) vulnerability (CWE-79) in CI4MS, a CodeIgniter 4-based CMS skeleton providing production-ready modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the Page Management functionality fails to properly sanitize user-controlled input during page creation or editing. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side and later rendered without adequate output encoding in administrative page lists and public-facing page views. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L).
Low-privileged authenticated users with access to create or edit pages can exploit this issue over the network with low complexity and no user interaction required. By injecting malicious JavaScript payloads into vulnerable input fields, attackers can achieve stored XSS that executes in the context of administrative interfaces and public pages. This enables high-impact confidentiality breaches, such as session hijacking or data exfiltration, alongside low-impact integrity and availability effects due to the changed scope.
The issue has been addressed in CI4MS version 0.31.0.0, as detailed in the project's GitHub release notes (https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0) and security advisory (https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-458r-h248-29c5). Security practitioners should upgrade to the patched version and review existing pages for potentially malicious content, applying output encoding where necessary.
Details
- CWE(s)