CVE-2026-34560: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ci4-cms-erp ci4ms
CVE-2026-34560 is a critical stored Cross-site Scripting (XSS) vulnerability in ci4ms, a CodeIgniter 4-based CMS. Versions prior to 0. 31. 0. 0 render user-controlled input unsafely within the logs interface, allowing stored XSS payloads to execute when an administrator views the logs. This is a Blind XSS scenario because the attacker does not see immediate execution. The vulnerability has been patched in version 0. 31. 0. 0.
AI Analysis
Technical Summary
The vulnerability in ci4ms (versions before 0.31.0.0) involves improper neutralization of input during web page generation (CWE-79). Specifically, user-controlled input stored in application logs is rendered without proper output encoding in the logs interface. This allows stored XSS payloads to execute in the context of an administrator viewing the logs, constituting a Blind XSS attack. The issue has been addressed and fixed in version 0.31.0.0.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary scripts in the context of an administrator's browser when viewing the logs page. This can lead to high confidentiality impact (e.g., theft of admin session or credentials), limited integrity impact, and limited availability impact. The CVSS v3.1 score is 9.1 (critical), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and scope change.
Mitigation Recommendations
Upgrade ci4ms to version 0.31.0.0 or later where this vulnerability is patched. No other mitigation is indicated or required as the fix addresses the root cause by properly encoding output in the logs interface.
CVE-2026-34560: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ci4-cms-erp ci4ms
Description
CVE-2026-34560 is a critical stored Cross-site Scripting (XSS) vulnerability in ci4ms, a CodeIgniter 4-based CMS. Versions prior to 0. 31. 0. 0 render user-controlled input unsafely within the logs interface, allowing stored XSS payloads to execute when an administrator views the logs. This is a Blind XSS scenario because the attacker does not see immediate execution. The vulnerability has been patched in version 0. 31. 0. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in ci4ms (versions before 0.31.0.0) involves improper neutralization of input during web page generation (CWE-79). Specifically, user-controlled input stored in application logs is rendered without proper output encoding in the logs interface. This allows stored XSS payloads to execute in the context of an administrator viewing the logs, constituting a Blind XSS attack. The issue has been addressed and fixed in version 0.31.0.0.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary scripts in the context of an administrator's browser when viewing the logs page. This can lead to high confidentiality impact (e.g., theft of admin session or credentials), limited integrity impact, and limited availability impact. The CVSS v3.1 score is 9.1 (critical), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and scope change.
Mitigation Recommendations
Upgrade ci4ms to version 0.31.0.0 or later where this vulnerability is patched. No other mitigation is indicated or required as the fix addresses the root cause by properly encoding output in the logs interface.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T16:31:39.265Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69ce7bdce6bfc5ba1ddfe7ac
Added to database: 4/2/2026, 2:23:24 PM
Last enriched: 4/10/2026, 12:10:49 AM
Last updated: 5/20/2026, 7:32:10 PM
Views: 144
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.