CVE-2026-34989
Published: 06 April 2026
Summary
CVE-2026-34989 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of user inputs like profile names to reject malicious JavaScript payloads before they are stored server-side, directly addressing the sanitization failure.
SI-15 mandates filtering and encoding of information outputs in application views to prevent execution of stored malicious JavaScript, mitigating the unsafe rendering.
SI-2 ensures timely identification, reporting, and correction of flaws like this stored XSS vulnerability through patching to version 31.0.0.0 or equivalent fixes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables injection and execution of arbitrary JavaScript in victims' browsers when viewing profiles (T1203: Exploitation for Client Execution), directly facilitating browser session hijacking (T1185) and theft of web session cookies (T1539) leading to account takeover as described.
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name /…
more
username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This vulnerability is fixed in 31.0.0.0.
Deeper analysisAI
CVE-2026-34989 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting CI4MS, a CodeIgniter 4-based CMS skeleton that provides a production-ready, modular architecture with RBAC authorization and theme support. In versions prior to 31.0.0.0, the application does not properly sanitize user-controlled input during profile name updates, such as full name or username. This allows malicious JavaScript payloads to be injected, stored server-side, and rendered unsafely without output encoding in multiple application views. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to network accessibility, low complexity, and high impacts across confidentiality, integrity, and availability with changed scope.
Low-privileged authenticated users (PR:L) can exploit this vulnerability by updating their own profile with a malicious JavaScript payload, which is persistently stored and displayed to other users without sanitization. Exploitation requires user interaction (UI:R), such as victims viewing affected application views containing the attacker's profile information. Successful attacks enable arbitrary JavaScript execution in the victim's browser context, potentially leading to session hijacking, data theft, account takeover, or further compromise within the changed scope (S:C).
The GitHub security advisory (GHSA-vr2g-rhm5-q4jr) confirms the issue and states that it is fixed in CI4MS version 31.0.0.0, recommending immediate upgrades to mitigate the vulnerability. No additional workarounds are detailed in the provided references.
Details
- CWE(s)