CVE-2026-34565: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ci4-cms-erp ci4ms
CI4MS versions prior to 0. 31. 0. 0 contain a stored DOM-based cross-site scripting (XSS) vulnerability in the Menu Management functionality. This occurs because user-controlled input related to Posts added to navigation menus is stored and later rendered without proper output encoding. The vulnerability affects both administrative dashboards and public-facing navigation menus. It has been patched in version 0. 31. 0. 0.
AI Analysis
Technical Summary
CI4MS, a CodeIgniter 4-based CMS skeleton, improperly neutralizes user input when adding Posts to navigation menus prior to version 0.31.0.0. Specifically, post-related data selected via the Posts section is stored server-side and rendered without proper output encoding, leading to stored DOM-based cross-site scripting (CWE-79). This vulnerability allows malicious input to be executed in the context of administrative dashboards and public navigation menus. The issue was addressed and patched in version 0.31.0.0.
Potential Impact
Exploitation of this vulnerability can lead to execution of arbitrary scripts in the context of affected users, potentially resulting in unauthorized disclosure of sensitive information, partial integrity loss, and partial availability impact. The vulnerability affects both administrative and public interfaces, increasing the risk of compromise. The CVSS 3.1 score of 9.1 reflects critical severity with network attack vector, low attack complexity, and no user interaction required.
Mitigation Recommendations
A patch fixing this vulnerability is available in ci4ms version 0.31.0.0. Users should upgrade to this version or later to remediate the issue. No additional mitigation steps are indicated by the vendor advisory.
CVE-2026-34565: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ci4-cms-erp ci4ms
Description
CI4MS versions prior to 0. 31. 0. 0 contain a stored DOM-based cross-site scripting (XSS) vulnerability in the Menu Management functionality. This occurs because user-controlled input related to Posts added to navigation menus is stored and later rendered without proper output encoding. The vulnerability affects both administrative dashboards and public-facing navigation menus. It has been patched in version 0. 31. 0. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CI4MS, a CodeIgniter 4-based CMS skeleton, improperly neutralizes user input when adding Posts to navigation menus prior to version 0.31.0.0. Specifically, post-related data selected via the Posts section is stored server-side and rendered without proper output encoding, leading to stored DOM-based cross-site scripting (CWE-79). This vulnerability allows malicious input to be executed in the context of administrative dashboards and public navigation menus. The issue was addressed and patched in version 0.31.0.0.
Potential Impact
Exploitation of this vulnerability can lead to execution of arbitrary scripts in the context of affected users, potentially resulting in unauthorized disclosure of sensitive information, partial integrity loss, and partial availability impact. The vulnerability affects both administrative and public interfaces, increasing the risk of compromise. The CVSS 3.1 score of 9.1 reflects critical severity with network attack vector, low attack complexity, and no user interaction required.
Mitigation Recommendations
A patch fixing this vulnerability is available in ci4ms version 0.31.0.0. Users should upgrade to this version or later to remediate the issue. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T16:56:30.997Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cd93ece6bfc5ba1d003626
Added to database: 4/1/2026, 9:53:48 PM
Last enriched: 4/9/2026, 11:58:38 PM
Last updated: 5/21/2026, 7:15:53 PM
Views: 83
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.