CVE-2026-34569
Published: 01 April 2026
Summary
CVE-2026-34569 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validating and sanitizing user-controlled inputs like category titles to prevent storage of malicious JavaScript payloads.
SI-15 mandates filtering outputs on web pages to encode stored data properly, blocking XSS payload execution in browsers.
SI-2 ensures timely remediation of flaws like this stored XSS vulnerability by applying patches such as CI4MS version 0.31.0.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing CMS directly maps to T1190 for exploitation; enables arbitrary JavaScript execution (T1059.007) that facilitates keylogging (T1056.001) and web session cookie theft (T1539) as described.
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog categories. An attacker can…
more
inject a malicious JavaScript payload into the category title field, which is then stored server-side. This stored payload is later rendered unsafely across public-facing blog category pages, administrative interfaces, and blog post views without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Deeper analysisAI
CVE-2026-34569 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting CI4MS, a CodeIgniter 4-based CMS skeleton that provides a production-ready, modular architecture with RBAC authorization and theme support. In versions prior to 0.31.0.0, the application does not properly sanitize user-controlled input when creating or editing blog categories. This allows an attacker to inject a malicious JavaScript payload into the category title field, which is stored server-side and later rendered without proper output encoding on public-facing blog category pages, administrative interfaces, and blog post views. The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and low required privileges.
An authenticated attacker with low privileges (PR:L), such as a user able to create or edit blog categories, can exploit this issue remotely over the network without user interaction. By submitting a malicious payload in the category title, the attacker achieves stored XSS, where the JavaScript executes in the context of any visitor's browser viewing affected pages. This enables theft of session cookies, keystroke logging, or unauthorized actions on behalf of victims, including administrators, with impacts spanning high confidentiality, integrity, and availability losses due to the changed scope (S:C).
The issue has been addressed in CI4MS version 0.31.0.0, as detailed in the project's GitHub release notes and security advisory. Security practitioners should upgrade to this patched version immediately and review any deployed instances for evidence of exploitation, ensuring proper input sanitization and output encoding in custom CMS extensions.
Details
- CWE(s)