Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. These values are persisted in the database and rendered unsafely on public-facing pages only, such as the main landing page. There is no execution in the administrative dashboard—the vulnerability only impacts the public frontend. This vulnerability is fixed in 0.31.2.0.
Published: 2026-04-06
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS on public pages
Action: Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the System Settings – Company Information section of the CI4MS CMS. Prior to version 0.31.2.0, the application fails to properly sanitize user‑controlled input from several administrative configuration fields. These values are persisted to the database and later rendered on public‑facing pages, such as the main landing page, without output encoding, allowing an attacker to inject arbitrary client‑side code that executes in the browsers of anyone who visits that page. The flaw does not affect the administrative dashboard and is limited to the public frontend.

Affected Systems

All installations of the CI4MS product (ci4‑cms‑erp:ci4ms) whose application version is older than 0.31.2.0 are affected. The issue is present in each release preceding that version and applies to any site that still allows administrators to edit the Company Information fields.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an attacker to modify the Company Information fields, which is likely only possible with administrative access – this inference is based on the fact that the fields are administrative configuration items. Once the attacker injects malicious code, any visitor to the affected public page will execute that code in their browser.

Generated by OpenCVE AI on April 8, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CI4MS to version 0.31.2.0 or later
  • Remove or sanitize any existing malicious content from the Company Information fields in System Settings
  • Verify that public‑facing pages no longer render unsanitized data
  • Implement stricter output‑encoding or sanitization for future content entered via the admin interface
  • Monitor application logs for XSS attempts and review user sessions for abnormal activity

Generated by OpenCVE AI on April 8, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5ghq-42rg-769x CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS
History

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0 , the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. These values are persisted in the database and rendered unsafely on public-facing pages only, such as the main landing page. There is no execution in the administrative dashboard—the vulnerability only impacts the public frontend. This vulnerability is fixed in 0.31.2.0. CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. These values are persisted in the database and rendered unsafely on public-facing pages only, such as the main landing page. There is no execution in the administrative dashboard—the vulnerability only impacts the public frontend. This vulnerability is fixed in 0.31.2.0.

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0 , the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. These values are persisted in the database and rendered unsafely on public-facing pages only, such as the main landing page. There is no execution in the administrative dashboard—the vulnerability only impacts the public frontend. This vulnerability is fixed in 0.31.2.0.
Title CI4MS Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:26:39.894Z

Reserved: 2026-03-31T21:06:06.427Z

Link: CVE-2026-35035

cve-icon Vulnrichment

Updated: 2026-04-07T15:46:35.470Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T17:17:12.793

Modified: 2026-04-22T18:52:23.720

Link: CVE-2026-35035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:38Z

Weaknesses