Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within group and role management functionality. Multiple input fields (three distinct group-related fields) can be injected with malicious JavaScript payloads, which are then stored server-side. These stored payloads are later rendered unsafely within privileged administrative views without proper output encoding, leading to stored cross-site scripting (XSS) within the role and permission management context. This issue has been patched in version 0.31.0.0.
Published: 2026-03-30
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Stored XSS
Action: Immediate Patch
AI Analysis

Impact

CI4MS allows malicious JavaScript to be entered into group and role management fields, where it is stored on the server and later rendered unsafely within privileged administrative views. This stored cross‑site scripting can execute arbitrary code in the browser context of any administrator, allowing complete account takeover and full privilege escalation. The vulnerability arises from a failure to sanitize user-controlled input and output encode the data when displayed in the role management interface.

Affected Systems

All installations of CI4MS built on CodeIgniter 4 and released prior to version 0.31.0.0 are affected. The issue has been patched in 0.31.0.0, so any version earlier than that must be upgraded.

Risk and Exploitability

The vulnerability scores a CVSS of 9.1, indicating critical severity, yet its EPSS score is below 1 %, suggesting a low likelihood of active exploitation at present. It is not listed in the CISA KEV catalog. The attack path is inferred to require authenticated access to the group and role management interface, typically granted only to administrators. An attacker who can log in as an administrator can inject the payload, which then executes in subsequent sessions of any administrator who loads the affected page. The exploit is straightforward once authenticated, but the prerequisite of admin credentials limits the overall attack surface.

Generated by OpenCVE AI on April 6, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CI4MS to version 0.31.0.0 or later
  • Verify that group and role management pages no longer accept unauthenticated JavaScript payloads and that output is properly escaped
  • Deploy a web application firewall rule set to block script injection attempts in form submissions
  • Regularly monitor administrative activity for signs of anomalous actions

Generated by OpenCVE AI on April 6, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rpjr-985c-qhvm CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
History

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within group and role management functionality. Multiple input fields (three distinct group-related fields) can be injected with malicious JavaScript payloads, which are then stored server-side. These stored payloads are later rendered unsafely within privileged administrative views without proper output encoding, leading to stored cross-site scripting (XSS) within the role and permission management context. This issue has been patched in version 0.31.0.0.
Title CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T14:10:46.649Z

Reserved: 2026-03-30T16:31:39.265Z

Link: CVE-2026-34557

cve-icon Vulnrichment

Updated: 2026-03-31T14:08:34.522Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T21:17:10.323

Modified: 2026-04-06T16:53:19.183

Link: CVE-2026-34557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:31Z

Weaknesses