CVE-2026-34560 is a critical stored Cross-Site Scripting (XSS) vulnerability identified in ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability stems from improper neutralization of user input during web page generation, specifically within the logs interface of ci4ms versions prior to 0.31.0.0. When user-controlled data is logged, it is rendered without proper output encoding, allowing an attacker to inject malicious JavaScript payloads into the logs. This results in a Blind XSS scenario because the injected script does not execute immediately upon injection but only when an administrator or authorized user accesses the logs page, triggering the payload execution in their browser context. This can lead to session hijacking, credential theft, or unauthorized actions performed with administrator privileges. The vulnerability requires low complexity to exploit, as it only needs low privileges to inject data into logs and no user interaction is necessary for the payload to execute once the logs are viewed. The CVSS v3.1 score of 9.1 reflects the critical severity, with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially compromised system. The flaw is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security weakness. The issue has been addressed and patched in ci4ms version 0.31.0.0, which implements proper output encoding and sanitization of logged data to prevent script injection.

The impact of CVE-2026-34560 is significant for organizations using ci4ms versions prior to 0.31.0.0. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of administrative users, potentially leading to session hijacking, theft of sensitive information, unauthorized administrative actions, and further compromise of the CMS environment. Because the payload executes when administrators view logs, it can bypass some traditional user-facing XSS mitigations and evade immediate detection. This can result in prolonged undetected access and control over critical CMS functions, affecting confidentiality, integrity, and availability of the system. Organizations relying on ci4ms for content management and enterprise resource planning may face data breaches, defacement, or disruption of services. The vulnerability's network accessibility and low complexity make it a high-risk threat, especially in environments where multiple users can input data that gets logged. Although no known exploits are reported in the wild yet, the critical severity and ease of exploitation warrant urgent remediation to prevent potential attacks.

To mitigate CVE-2026-34560, organizations should immediately upgrade ci4ms to version 0.31.0.0 or later, where the vulnerability is patched. Beyond patching, implement strict input validation on all user-supplied data before logging, ensuring that potentially malicious content is sanitized or rejected. Employ robust output encoding techniques, such as context-aware HTML entity encoding, when rendering any logged data in web interfaces to prevent script execution. Restrict access to the logs interface to only trusted administrative users and consider implementing multi-factor authentication to reduce the risk of compromised credentials. Monitor logs and application behavior for unusual activities that may indicate attempted exploitation. Additionally, conduct regular security code reviews focusing on input handling and output encoding in all modules that render user data. Deploy Content Security Policy (CSP) headers to limit the impact of any injected scripts. Finally, educate administrators about the risks of viewing untrusted logs and encourage cautious handling of log data.