Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts within the Categories section. An attacker can inject a malicious JavaScript payload into the Categories content, which is then stored server-side. This stored payload is later rendered unsafely when the Categories are viewed via blog posts, without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Published: 2026-04-01
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing Full Account Takeover
Action: Immediate Patch
AI Analysis

Impact

The flaw originates from an oversight in sanitizing user input when creating or editing blog post categories in CI4MS, a CodeIgniter 4‑based CMS skeleton. A malicious script can be embedded into category content, stored by the server, and later rendered without proper output encoding when categories are viewed. This stored XSS can steal authentication cookies, hijack sessions, and elevate privileges, permitting an attacker to take full control of any user account regardless of role assignment.

Affected Systems

The affected system is the CI4MS application. All releases prior to version 0.31.0.0 are vulnerable. Version 0.31.0.0 introduces the necessary input sanitization and resolves the issue.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.1, indicating critically high severity. EPSS is below 1 %, suggesting that active exploitation is currently low in frequency. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have write access to the categories section, which typically means having any authenticated account. Once injected, the stored payload is executed in the browser of any visitor viewing the affected categories, providing a path to full account takeover.

Generated by OpenCVE AI on April 6, 2026 at 19:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch to CI4MS version 0.31.0.0 or later.
  • Verify that category content is being properly sanitized after the update.
  • If the patch cannot be applied immediately, disable the categories feature or block rendering of user‑supplied scripts in that section.
  • Monitor the database for unexpected script content in category fields and audit user access to the category editing interface.

Generated by OpenCVE AI on April 6, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r33w-c82v-x5v7 CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts within the Categories section. An attacker can inject a malicious JavaScript payload into the Categories content, which is then stored server-side. This stored payload is later rendered unsafely when the Categories are viewed via blog posts, without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Title CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T16:23:41.808Z

Reserved: 2026-03-30T16:56:30.998Z

Link: CVE-2026-34567

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T22:16:20.420

Modified: 2026-04-06T16:41:42.780

Link: CVE-2026-34567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:32Z

Weaknesses