CVE-2026-34563 is a stored cross-site scripting (XSS) vulnerability identified in ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability arises from improper neutralization of user-controlled input during web page generation, specifically in the handling of backup uploads and their metadata. Attackers can upload a specially crafted backup file named with a malicious JavaScript payload (e.g., via an xss.sql file). This payload is stored server-side using SQL functionality and later rendered in multiple backup management views without proper output encoding or sanitization. Because the malicious script is stored and executed in the context of authenticated users viewing the backup management interface, it constitutes a stored blind XSS attack. This can lead to session hijacking, unauthorized actions, or further exploitation within the administrative interface. The vulnerability requires the attacker to have at least limited authenticated access to upload backups but does not require victim user interaction to trigger the payload once stored. The flaw affects all ci4ms versions prior to 0.31.0.0 and has been addressed in that release. The CVSS v3.1 base score is 9.1, reflecting high impact on confidentiality, moderate impact on integrity and availability, network attack vector, low attack complexity, and privileges required. No known exploits are currently reported in the wild, but the critical nature and ease of exploitation make this a significant threat to affected deployments.

The vulnerability allows attackers to execute arbitrary JavaScript in the context of authenticated users managing backups, potentially leading to session hijacking, privilege escalation, or unauthorized administrative actions. This compromises confidentiality by exposing sensitive session tokens or data, integrity by enabling unauthorized changes, and availability by potentially disrupting backup management functions. Since the attack vector is network-based and requires only low privileges, attackers with limited access can leverage this to escalate their control. Organizations relying on ci4ms for content management and backup operations face risks of data breaches, operational disruption, and reputational damage. The stored nature of the XSS means the payload persists until the backup is removed or the system is patched, increasing exposure duration. The vulnerability is particularly impactful in environments where backup management interfaces are accessed by multiple administrators or integrated into broader operational workflows.

Immediate mitigation requires upgrading ci4ms to version 0.31.0.0 or later, where the vulnerability is patched. Until upgrade is possible, organizations should restrict backup upload permissions strictly to trusted users and monitor backup filenames for suspicious patterns or scripts. Implement additional input validation on backup filenames to reject or sanitize potentially malicious characters or scripts. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts. Regularly audit backup management views and logs for unusual activity. Consider isolating backup management interfaces behind additional authentication layers or network segmentation. Educate administrators about the risks of uploading untrusted backup files and the importance of applying security updates promptly. Finally, conduct penetration testing focused on XSS vectors in backup and metadata handling to verify remediation.