Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0.
Published: 2026-04-01
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

CI4MS, a CodeIgniter 4-based CMS skeleton, contained a stored DOM XSS flaw that allowed user input to be rendered unsafely within the logs interface. The flaw created a blind XSS scenario: a payload could be stored in application logs but would only execute when an administrator viewed the logs page. Execution of arbitrary JavaScript in the administrator’s browser context could lead to full account takeover and privilege escalation. The weakness aligns with CWE‑79: Improper Neutralization of Input During Web Page Generation.

Affected Systems

The vulnerability affects the CI4MS content management system distributed by ci4‑cms‑erp. Versions prior to 0.31.0.0 of the CI4MS package are susceptible when the logs feature is enabled. The flaw is present in all roles with access to the logs page and can be exploited by any user capable of submitting data that is captured in the logs.

Risk and Exploitability

The CVSS score of 9.1 indicates a high‑severity impact, and the EPSS score indicates a low probability of exploitation at present (<1 %). The vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no known active exploitation. The likely attack path requires an attacker to inject malicious input that will be recorded in logs and later trigger execution when an administrator reviews those logs. This benign‑looking log entry method makes it a difficult scenario to detect, but when leveraged it can grant full administrative control over the affected system.

Generated by OpenCVE AI on April 13, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading CI4MS to version 0.31.0.0 or later.
  • Restrict access to the logs page to only trusted administrators and ensure that log content is rendered with proper output encoding.
  • Sanitize all user‑controlled input before it is written to the logs to prevent storage of executable scripts.

Generated by OpenCVE AI on April 13, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r4v5-rwr2-q7r4 CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
History

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0.
Title CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T13:58:46.604Z

Reserved: 2026-03-30T16:31:39.265Z

Link: CVE-2026-34560

cve-icon Vulnrichment

Updated: 2026-04-02T13:58:35.359Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T22:16:19.333

Modified: 2026-04-13T18:00:22.750

Link: CVE-2026-34560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:04Z

Weaknesses