CVE-2026-34562 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability arises from improper neutralization of user-controlled input in the System Settings – Company Information administrative interface. Specifically, several configuration fields accept input that is stored on the server and later rendered in web pages without proper output encoding or sanitization. This flaw allows an attacker with administrative privileges to inject malicious JavaScript code that executes in the browsers of other administrators or users who access the affected pages. The vulnerability does not require user interaction but does require high-level privileges to exploit, limiting its exposure to trusted users with admin access. The CVSS v3.1 base score is 4.7 (medium severity), reflecting the moderate impact on confidentiality, integrity, and availability, combined with the requirement for privileged access. The issue was addressed and patched in ci4ms version 0.31.0.0 by implementing proper input validation and output encoding. No known exploits are currently reported in the wild. This vulnerability highlights the importance of secure coding practices in administrative modules, especially for input that is stored and later rendered dynamically.

The primary impact of this vulnerability is the potential execution of arbitrary scripts within the administrative interface of ci4ms. An attacker with administrative privileges can leverage this to perform actions such as session hijacking, defacement, or injecting malicious payloads that affect other administrators. This can lead to unauthorized access escalation, data leakage, or disruption of CMS operations. Since the vulnerability affects stored input, the malicious code persists and can impact multiple users over time. Although exploitation requires high privileges, the risk is significant in environments where multiple administrators manage the CMS or where insider threats exist. The vulnerability could also be leveraged as a stepping stone for further attacks within the network. Organizations relying on ci4ms for critical content management or ERP functions may experience confidentiality breaches, integrity violations, and availability issues if exploited.

Organizations should immediately upgrade ci4ms to version 0.31.0.0 or later, where the vulnerability is patched. In addition, administrators should audit all user input handling in administrative modules to ensure proper sanitization and output encoding are consistently applied. Implement Content Security Policy (CSP) headers to restrict script execution and reduce the impact of potential XSS attacks. Limit the number of users with administrative privileges and enforce strong authentication mechanisms to reduce the risk of insider threats. Regularly review and monitor logs for suspicious activity related to administrative input fields. Employ web application firewalls (WAFs) with rules targeting XSS payloads as an additional layer of defense. Finally, conduct security training for administrators to recognize and avoid introducing unsafe input.