Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when handling backup uploads and processing backup metadata. An attacker can inject a malicious JavaScript payload into the backup filename via the uploaded xss.sql, which uses SQL functionality to insert the XSS payload server-side. This stored payload is later rendered unsafely in multiple backup management views without proper output encoding, leading to stored blind cross-site scripting (Blind XSS). This issue has been patched in version 0.31.0.0.
Published: 2026-04-01
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Stored blind XSS causing full account takeover and privilege escalation
Action: Immediate Patch
AI Analysis

Impact

CI4MS allows attackers to embed malicious JavaScript into the filename of an uploaded backup file, which the system stores and later renders in multiple backup management views without proper encoding. This stored blind cross‑site scripting flaw can be exploited to take over any user account, including those with highest privileges, and to elevate permissions for broader access. The weakness is a classic XSS vulnerability classified as CWE‑79.

Affected Systems

The affected vendor is ci4‑cms‑erp and the product is CI4MS. Any instance running a version older than 0.31.0.0 is vulnerable; the issue was addressed in the 0.31.0.0 release.

Risk and Exploitability

The CVSS score of 9.1 indicates high severity, yet the EPSS score of less than 1% suggests current exploit activity is very low. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires the attacker to upload a backup file through the backup interface, a path that typically requires authenticated access. Once the payload is stored, it will execute when any authorized user views the backup, allowing attackers to hijack accounts and boost privileges.

Generated by OpenCVE AI on April 7, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply CI4MS version 0.31.0.0 or later to remove the XSS issue
  • Verify that the running instance matches the patched version
  • If upgrading immediately is not feasible, block or restrict access to the backup upload feature until the patch is applied
  • Ensure output encoding is enabled for all backup metadata before rendering
  • Monitor logs for abnormal backup uploads or JavaScript activity in the backup views

Generated by OpenCVE AI on April 7, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-85m8-g393-jcxf CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS
History

Tue, 07 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when handling backup uploads and processing backup metadata. An attacker can inject a malicious JavaScript payload into the backup filename via the uploaded xss.sql, which uses SQL functionality to insert the XSS payload server-side. This stored payload is later rendered unsafely in multiple backup management views without proper output encoding, leading to stored blind cross-site scripting (Blind XSS). This issue has been patched in version 0.31.0.0.
Title CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T16:23:49.154Z

Reserved: 2026-03-30T16:31:39.265Z

Link: CVE-2026-34563

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T22:16:19.800

Modified: 2026-04-07T21:33:51.717

Link: CVE-2026-34563

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:46Z

Weaknesses