Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This vulnerability is fixed in 31.0.0.0.
Published: 2026-04-06
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting enabling full account takeover and privilege escalation
Action: Patch
AI Analysis

Impact

The flaw arises when the CMS accepts user‑controlled profile names without proper sanitization, allowing an attacker to inject JavaScript into the name field. This malicious script is stored server‑side and later rendered unsafely in multiple application views, leading to a stored cross‑site scripting vulnerability that can be used to hijack user sessions, elevate privileges, or take full control of an account.

Affected Systems

The vulnerability affects the CI4MS CMS skeleton (ci4-cms-erp:ci4ms) in all releases prior to version 31.0.0.0. Users running earlier versions are at risk.

Risk and Exploitability

With a CVSS score of 9.4 the risk is high, EPSS data is not available, and the issue is not listed in the CISA KEV catalog. The attack vector is application‑level stored XSS. Based on the description, it is inferred that an attacker must first be authenticated to modify their profile name before exploiting the vulnerability.

Generated by OpenCVE AI on April 6, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch to release 31.0.0.0 or later.
  • If patching is delayed, enforce stricter input validation on the profile name field, allowing only plain text characters.
  • Ensure that all user‑controlled data is properly escaped before rendering in any view.
  • Perform a code review of profile‑related templates to confirm there are no remaining unsanitized outputs.
  • Monitor user accounts for unexpected privilege changes or injection attempts and investigate promptly.

Generated by OpenCVE AI on April 6, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vr2g-rhm5-q4jr CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
History

Mon, 27 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This vulnerability is fixed in 31.0.0.0.
Title CI4MS affected by Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T16:00:10.965Z

Reserved: 2026-03-31T19:38:31.617Z

Link: CVE-2026-34989

cve-icon Vulnrichment

Updated: 2026-04-07T15:58:04.636Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T17:17:12.037

Modified: 2026-04-27T23:41:16.540

Link: CVE-2026-34989

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:31:37Z

Weaknesses