Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Posts to navigation menus through the Menu Management functionality. Post-related data selected via the Posts section is stored server-side and rendered without proper output encoding. These stored values are later rendered unsafely within administrative dashboards and public-facing navigation menus, resulting in stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Published: 2026-04-01
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Stored DOM XSS enabling full account takeover and privilege escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a stored DOM‑based cross‑site scripting flaw in the Menu Management feature of CI4MS. User‑controlled post data that is added to navigation menus is saved server‑side without proper sanitization or output encoding. When the navigation is later rendered in both administrative dashboards and public pages, the payload is executed in the victim’s browser. This flaw can lead to complete compromise of the authenticated account, including privilege escalation to higher‑level roles, because the RBAC system is bypassed by the injected code. The CVSS score of 9.1 reflects the severity and the potential to affect both confidentiality and integrity.

Affected Systems

The flaw affects the CI4CMS‑ERP CI4MS application. Any deployment running a version earlier than 0.31.0.0 is vulnerable. The vendor has released a patch in release 0.31.0.0 that correctly sanitizes the input and prevents the payload from being stored and executed.

Risk and Exploitability

The vulnerability carries a high severity score and exists in a widely distributed CMS skeleton. Although the EPSS score is currently below 1% and it is not listed in the CISA KEV catalog, the exploitation path is straightforward for an attacker who can submit a post in the menu management interface, or for a compromised valid user. Once injected, the malicious script runs in the context of any user who views the affected navigation, making the risk of account takeover and privilege escalation significant.

Generated by OpenCVE AI on April 6, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch by upgrading CI4MS to version 0.31.0.0 or later.
  • If immediate upgrade is not possible, limit the Menu Management functionality to users with the highest privilege levels only and monitor for anomalous input.
  • Remove any potentially malicious post entries from existing navigation menus.
  • Verify that all stored content now undergoes proper output encoding before rendering.
  • Implement application‑level CSP and XSS filtering to mitigate similar issues in the future.

Generated by OpenCVE AI on April 6, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xgh5-w62m-8mpr CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Posts to navigation menus through the Menu Management functionality. Post-related data selected via the Posts section is stored server-side and rendered without proper output encoding. These stored values are later rendered unsafely within administrative dashboards and public-facing navigation menus, resulting in stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Title CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T18:08:44.517Z

Reserved: 2026-03-30T16:56:30.997Z

Link: CVE-2026-34565

cve-icon Vulnrichment

Updated: 2026-04-02T18:08:39.406Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T22:16:20.107

Modified: 2026-04-06T16:43:31.467

Link: CVE-2026-34565

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:07:24Z

Weaknesses