CVE-2026-34558 is a stored DOM-based Cross-Site Scripting (XSS) vulnerability identified in ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability exists in versions prior to 0.31.0.0 within the Methods Management functionality, where multiple input fields accept user-supplied data that is not properly sanitized or encoded before storage and subsequent rendering. Specifically, attacker-controlled JavaScript payloads can be injected into these fields and stored server-side. When these stored values are later rendered in administrative interfaces and global navigation components, they are output without proper encoding, enabling the execution of malicious scripts in the browser of authenticated users. This flaw stems from improper neutralization of input during web page generation, classified under CWE-79. The vulnerability allows an attacker with at least limited privileges (PR:L) to inject scripts that compromise confidentiality by stealing sensitive data, integrity by manipulating displayed content, and availability by potentially causing denial-of-service conditions. The CVSS v3.1 base score is 9.1 (critical), reflecting its high impact and ease of exploitation over the network without user interaction. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to organizations using affected ci4ms versions. The issue has been addressed in ci4ms version 0.31.0.0 by implementing proper input sanitization and output encoding.

The vulnerability allows attackers to execute arbitrary JavaScript in the context of authenticated users, particularly administrators, which can lead to theft of sensitive information such as credentials or session tokens, unauthorized actions performed on behalf of users, and potential disruption of service. The stored nature of the XSS means the malicious payload persists and affects all users who access the compromised components, increasing the attack surface and potential damage. Organizations relying on ci4ms for content management and enterprise resource planning risk data breaches, privilege escalation, and operational disruptions. The critical severity and ease of exploitation make this a high-priority threat, especially in environments with multiple users and administrative roles. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the network or to pivot to other systems.

Organizations should immediately upgrade ci4ms installations to version 0.31.0.0 or later, where the vulnerability is patched. Until upgrading is possible, implement strict input validation on all user-supplied data in the Methods Management functionality, rejecting or sanitizing any input containing script or HTML tags. Employ comprehensive output encoding (e.g., HTML entity encoding) when rendering user input in administrative interfaces and navigation components to prevent script execution. Conduct thorough code reviews and penetration testing focusing on input handling and output contexts. Limit privileges of users who can access the Methods Management functionality to reduce risk. Additionally, implement Content Security Policy (CSP) headers to restrict script execution sources and monitor logs for suspicious activity indicative of exploitation attempts. Regularly update and patch all components of the CMS and underlying frameworks to minimize exposure to known vulnerabilities.