CVE-2026-34562 - Vulnerability Details

- CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.

Published: 2026-04-01

Score: 4.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

CI4MS contains a stored DOM XSS flaw in the System Settings – Company Information section. Attacker‑controlled input is persisted in the database and later rendered without proper encoding, allowing malicious JavaScript to execute in the context of any user who views the settings page. Because the framework supports role‑based access control, an attacker can hijack sessions for administrators or any role, effectively achieving full account takeover and privilege escalation.

Affected Systems

The affected product is CI4MS by ci4‑cms‑erp. Versions prior to 0.31.0.0 are vulnerable; the issue was fixed in the 0.31.0.0 release. All user roles that can modify system settings — including administrators, editors, and other privileged users — are at risk.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity, while the EPSS score of less than 1% suggests a low current likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is through the web interface where an attacker with permissions to alter system settings injects malicious payloads, which are later executed when any user accesses the settings page.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ci4-cms-erp

ci4ms

affected

Version	Status	Constraints
`< 0.31.0.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Ci4-cms-erp

Ci4ms

100%

Version	Status	Scheme	Platform
`[0,0.31.0.0)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor’s patch to version 0.31.0.0 or later

Generated by OpenCVE AI on April 9, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-v897-c6vq-6cr3	CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0002.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v897-c6vq-6cr3

History

Thu, 09 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:ci4-cms-erp:ci4ms::::::::

Fri, 03 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ci4-cms-erp Ci4-cms-erp ci4ms
Vendors & Products		Ci4-cms-erp Ci4-cms-erp ci4ms

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.
Title		CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Weaknesses		CWE-79
References		https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0 https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v897-c6vq-6cr3
Metrics		cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

Ci4-cms-erp Ci4ms

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-01T21:23:42.354Z

Updated: 2026-04-03T19:48:14.052Z

Reserved: 2026-03-30T16:31:39.265Z

Link: CVE-2026-34562

Vulnrichment

Updated: 2026-04-03T19:48:09.293Z

NVD

Status : Analyzed

Published: 2026-04-01T22:16:19.640

Modified: 2026-04-09T15:03:10.170

Link: CVE-2026-34562

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-10T09:45:45Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object