CVE-2026-34571
Published: 01 April 2026
Summary
CVE-2026-34571 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of user-controlled inputs in backend user management to prevent injection of persistent JavaScript code as exploited in this stored XSS vulnerability.
SI-15 mandates filtering of information outputs rendered in the administrative interface to block automatic execution of injected scripts.
SI-2 ensures timely flaw remediation, directly addressing the sanitization failure patched in CI4MS version 0.31.0.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in web CMS backend enables remote exploitation of public-facing application (T1190) and direct privilege escalation via JS injection leading to session hijacking and admin compromise (T1068).
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, a Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the backend user management functionality. The application fails…
more
to properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript code. This results in automatic execution whenever backend users access the affected page, enabling session hijacking, privilege escalation, and full administrative account compromise. This issue has been patched in version 0.31.0.0.
Deeper analysisAI
CVE-2026-34571 is a Stored Cross-Site Scripting (Stored XSS) vulnerability, classified under CWE-79, affecting CI4MS, a CodeIgniter 4-based CMS skeleton that provides a production-ready, modular architecture with RBAC authorization and theme support. In versions prior to 0.31.0.0, the backend user management functionality fails to properly sanitize user-controlled input before rendering it in the administrative interface. This allows attackers to inject persistent JavaScript code that executes automatically whenever backend users access the affected page.
The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating it can be exploited remotely over the network with low complexity by users with low privileges, without requiring user interaction, and with a changed scope leading to high impacts on confidentiality, integrity, and availability. Attackers can achieve session hijacking, privilege escalation, and full administrative account compromise by tricking backend users, such as administrators, into accessing the injected content.
Mitigation is available in CI4MS version 0.31.0.0, which patches the sanitization issue. Security practitioners should upgrade to this version immediately, as detailed in the project's GitHub release notes (https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0) and security advisory (https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fc4p-p49v-r948).
Details
- CWE(s)