CVE-2026-34564: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ci4-cms-erp ci4ms
CVE-2026-34564 is a critical stored DOM-based cross-site scripting (XSS) vulnerability in ci4ms, a CodeIgniter 4-based CMS. Versions prior to 0. 31. 0. 0 improperly sanitize user input when adding Pages to navigation menus, causing unsafe rendering of stored payloads in both administrative and public interfaces. This can lead to high-impact consequences including partial confidentiality loss, limited integrity compromise, and availability degradation. The issue has been fixed in version 0. 31. 0. 0.
AI Analysis
Technical Summary
The ci4ms CMS prior to version 0.31.0.0 fails to properly neutralize user-controlled input during web page generation in its Menu Management functionality. Specifically, page-related data selected via the Pages section is stored server-side and rendered without proper output encoding, resulting in stored DOM-based cross-site scripting (CWE-79). This vulnerability allows an attacker with limited privileges to inject malicious scripts that execute in the context of administrative interfaces and public navigation menus. The vulnerability has been patched in version 0.31.0.0.
Potential Impact
Successful exploitation can lead to stored XSS attacks that compromise confidentiality (high), integrity (low), and availability (low) of the affected system. Attackers can execute arbitrary scripts in the context of users viewing the affected menus, potentially leading to session hijacking, unauthorized actions, or denial of service. The CVSS 3.1 base score is 9.1 (critical), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and scope change.
Mitigation Recommendations
Upgrade ci4ms to version 0.31.0.0 or later, where this vulnerability has been patched. No other mitigation is required as the fix addresses the root cause by properly sanitizing and encoding user input in the Menu Management functionality.
CVE-2026-34564: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ci4-cms-erp ci4ms
Description
CVE-2026-34564 is a critical stored DOM-based cross-site scripting (XSS) vulnerability in ci4ms, a CodeIgniter 4-based CMS. Versions prior to 0. 31. 0. 0 improperly sanitize user input when adding Pages to navigation menus, causing unsafe rendering of stored payloads in both administrative and public interfaces. This can lead to high-impact consequences including partial confidentiality loss, limited integrity compromise, and availability degradation. The issue has been fixed in version 0. 31. 0. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ci4ms CMS prior to version 0.31.0.0 fails to properly neutralize user-controlled input during web page generation in its Menu Management functionality. Specifically, page-related data selected via the Pages section is stored server-side and rendered without proper output encoding, resulting in stored DOM-based cross-site scripting (CWE-79). This vulnerability allows an attacker with limited privileges to inject malicious scripts that execute in the context of administrative interfaces and public navigation menus. The vulnerability has been patched in version 0.31.0.0.
Potential Impact
Successful exploitation can lead to stored XSS attacks that compromise confidentiality (high), integrity (low), and availability (low) of the affected system. Attackers can execute arbitrary scripts in the context of users viewing the affected menus, potentially leading to session hijacking, unauthorized actions, or denial of service. The CVSS 3.1 base score is 9.1 (critical), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and scope change.
Mitigation Recommendations
Upgrade ci4ms to version 0.31.0.0 or later, where this vulnerability has been patched. No other mitigation is required as the fix addresses the root cause by properly sanitizing and encoding user input in the Menu Management functionality.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T16:56:30.997Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cd93ece6bfc5ba1d003621
Added to database: 4/1/2026, 9:53:48 PM
Last enriched: 4/10/2026, 12:10:59 AM
Last updated: 5/20/2026, 8:52:02 PM
Views: 100
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.