CVE-2026-35035
Published: 06 April 2026
Summary
CVE-2026-35035 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ci4-Cms-Erp Ci4Ms. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the failure to sanitize user-controlled input in administrative configuration fields, preventing storage of malicious XSS payloads in the database.
Mandates output filtering and encoding for database-persisted data rendered on public-facing pages, blocking XSS execution against site visitors.
Requires identification, reporting, and timely patching of the stored XSS flaw, as fixed in CI4MS version 0.31.2.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing CMS pages allows injection of scripts that execute in visitor browsers, directly enabling theft of cookies/session tokens and browser session hijacking.
NVD Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields…
more
accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. These values are persisted in the database and rendered unsafely on public-facing pages only, such as the main landing page. There is no execution in the administrative dashboard—the vulnerability only impacts the public frontend. This vulnerability is fixed in 0.31.2.0.
Deeper analysisAI
CVE-2026-35035 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in CI4MS, a CodeIgniter 4-based CMS skeleton providing production-ready modular architecture with RBAC authorization and theme support. The issue affects versions prior to 0.31.2.0 and stems from improper sanitization of user-controlled input in the System Settings – Company Information section. Administrative configuration fields accept attacker-supplied data that is stored server-side in the database and later rendered without proper output encoding on public-facing pages, such as the main landing page.
Exploitation requires high privileges (PR:H), meaning an authenticated administrative user must have access to the System Settings interface. Once injected, the malicious payload is persisted in the database and executed in the context of public frontend pages viewed by unauthenticated visitors. This enables attackers to steal cookies, session tokens, or perform other client-side attacks against site visitors. The CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability for affected users, though no execution occurs in the administrative dashboard.
The vulnerability is addressed in CI4MS version 0.31.2.0, which introduces proper input sanitization and output encoding for the affected fields. Security practitioners should upgrade to this version or later, as detailed in the GitHub Security Advisory at https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5ghq-42rg-769x.
Details
- CWE(s)