CVE-2026-34567
Published: 01 April 2026
Summary
CVE-2026-34567 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces validation and sanitization of user-controlled input during category creation or editing to block malicious JavaScript injection.
Mandates filtering and encoding of category content output when rendered in blog posts to prevent execution of stored XSS payloads.
Establishes processes to identify, prioritize, test, and remediate flaws like inadequate input sanitization and output encoding exploited in this stored XSS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing CMS web app allows authenticated injection of malicious JavaScript payloads that execute in viewers' browsers without sanitization.
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts within the Categories…
more
section. An attacker can inject a malicious JavaScript payload into the Categories content, which is then stored server-side. This stored payload is later rendered unsafely when the Categories are viewed via blog posts, without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Deeper analysisAI
CVE-2026-34567 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in CI4MS, a CodeIgniter 4-based CMS skeleton providing modular architecture, RBAC authorization, and theme support. The flaw affects versions prior to 0.31.0.0 and stems from inadequate sanitization of user-controlled input during the creation or editing of blog posts within the Categories section. This allows injection of malicious JavaScript payloads into category content, which is stored server-side and rendered without proper output encoding when categories are viewed via blog posts. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L).
An authenticated attacker with low privileges, such as a user able to create or edit categories, can exploit this over the network with low complexity and no user interaction required. By injecting a malicious JavaScript payload, the attacker achieves stored XSS that executes in the context of viewers accessing affected blog posts. This leads to high confidentiality impact through potential session hijacking, credential theft, or data exfiltration, alongside low integrity and availability impacts, with the scope changing due to cross-origin effects.
The issue has been addressed in CI4MS version 0.31.0.0, as detailed in the project's GitHub release notes and security advisory (GHSA-r33w-c82v-x5v7). Security practitioners should upgrade to the patched version and review input sanitization in custom CMS implementations, particularly for stored content rendered in user-facing views.
Details
- CWE(s)