CVE-2026-34564 is a stored DOM-based cross-site scripting vulnerability affecting ci4ms, a CMS built on the CodeIgniter 4 framework. The flaw exists in versions prior to 0.31.0.0 within the Menu Management functionality, where user-controlled input related to Pages added to navigation menus is not properly sanitized or output encoded. Specifically, when administrators add Pages to navigation menus, the page-related data is stored on the server and later rendered in both the administrative interface and public navigation menus without adequate neutralization of potentially malicious scripts. This improper handling leads to stored XSS, allowing attackers to inject arbitrary JavaScript code that executes in the context of the victim’s browser. The vulnerability requires low privileges (administrator-level access to the CMS backend) but does not require user interaction for exploitation once the malicious payload is stored. The CVSS 3.1 score of 9.1 reflects the critical nature of this vulnerability, with high impact on confidentiality due to potential session hijacking or data theft, low impact on integrity, and low impact on availability. The scope is changed as the vulnerability affects both administrative and public interfaces, increasing the attack surface. No known exploits have been reported in the wild yet, but the vulnerability is publicly disclosed and patched in version 0.31.0.0. Organizations using ci4ms should prioritize patching and review their navigation menu configurations to detect any suspicious entries. This vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in CMS platforms that handle dynamic content rendering.

The impact of CVE-2026-34564 is significant for organizations using ci4ms CMS versions prior to 0.31.0.0. Successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of users visiting affected navigation menus or administrators managing menus. This can lead to session hijacking, theft of sensitive information such as authentication tokens or cookies, unauthorized actions performed on behalf of users, and potential malware delivery. The vulnerability compromises confidentiality primarily, with some risk to integrity and availability depending on the payload delivered. Because the malicious script is stored and served to multiple users, the attack can scale and affect a wide audience, including site visitors and administrators. Organizations with public-facing websites using ci4ms are at risk of reputational damage, data breaches, and regulatory compliance issues. The requirement for low privileges to inject the payload means insider threats or compromised administrator accounts can easily exploit this vulnerability. Although no active exploits are known, the critical CVSS score and public disclosure increase the likelihood of future exploitation attempts. The vulnerability also increases the attack surface by affecting both backend and frontend interfaces, making detection and mitigation more challenging.

To mitigate CVE-2026-34564, organizations should immediately upgrade ci4ms to version 0.31.0.0 or later, where the vulnerability has been patched with proper input sanitization and output encoding. In addition to patching, administrators should audit existing navigation menus for suspicious or unexpected page entries that may contain malicious scripts and remove them. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Employ web application firewalls (WAFs) with rules targeting XSS payloads to detect and block exploitation attempts. Review and enforce strict role-based access control (RBAC) to limit the number of users with permissions to modify navigation menus. Conduct regular security training for administrators to recognize and prevent injection of malicious content. Finally, implement comprehensive logging and monitoring of CMS administrative actions and web traffic to detect anomalous behavior indicative of exploitation attempts. These combined measures will reduce the risk and impact of this vulnerability beyond simply applying the patch.