CVE-2026-34568
Published: 01 April 2026
Summary
CVE-2026-34568 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-controlled inputs during blog post creation or editing to block injection of malicious JavaScript payloads before storage.
Mandates filtering and encoding of blog post content outputs in application views to prevent execution of stored malicious JavaScript in users' browsers.
Provides a process to identify, prioritize, and remediate flaws like the lack of input sanitization and output encoding fixed in the patched version.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables injection and execution of arbitrary JavaScript in victim browsers (T1059.007), facilitates drive-by compromise by delivering malicious payloads via legitimate site views (T1189), and supports web session cookie theft for hijacking (T1539) as described in the high confidentiality impact.
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts. An attacker can…
more
inject a malicious JavaScript payload into blog post content, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Deeper analysisAI
CVE-2026-34568 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in CI4MS, a CodeIgniter 4-based CMS skeleton providing modular architecture, RBAC authorization, and theme support. Prior to version 0.31.0.0, the application does not properly sanitize user-controlled input during the creation or editing of blog posts, allowing attackers to inject malicious JavaScript payloads. These payloads are stored server-side and rendered without proper output encoding in multiple application views, enabling execution in users' browsers. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L).
An authenticated attacker with low privileges, such as the ability to create or edit blog posts, can exploit this issue remotely with low complexity and no user interaction required. By injecting a malicious JavaScript payload into post content, the attacker causes it to execute for any user viewing the affected blog post across changed scopes. This can lead to high confidentiality impacts, such as session hijacking or data theft, with low integrity and availability effects.
The issue has been addressed in CI4MS version 0.31.0.0, as detailed in the project's GitHub release notes and security advisory (GHSA-x7wh-g25g-53vg). Security practitioners should upgrade to the patched version and review existing blog post content for potential malicious payloads.
Details
- CWE(s)