CVE-2026-34565 is a stored DOM-based cross-site scripting vulnerability affecting ci4ms, a CMS built on the CodeIgniter 4 framework. The vulnerability arises from improper neutralization of user-controlled input during web page generation, specifically when adding Posts to navigation menus through the Menu Management functionality. In affected versions prior to 0.31.0.0, post-related data selected and stored server-side is rendered without proper output encoding in both administrative dashboards and public-facing navigation menus. This improper output encoding allows an attacker with authorized access to inject malicious JavaScript payloads that persist in the system and execute in the browsers of administrators and end users. The vulnerability is classified under CWE-79 and has a CVSS v3.1 base score of 9.1, reflecting its critical nature. The attack vector is network-based, with low attack complexity, requiring privileges but no user interaction. The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component, impacting confidentiality (C:H), integrity (I:L), and availability (A:L). No public exploits have been observed yet, but the vulnerability's characteristics make it a prime target for exploitation. The vendor has addressed the issue in version 0.31.0.0 by implementing proper input sanitization and output encoding to prevent script injection.

The vulnerability allows attackers with low privileges to inject persistent malicious scripts into navigation menus, which are rendered both in administrative interfaces and public-facing pages. This can lead to theft of sensitive information such as authentication tokens, session cookies, or other confidential data, resulting in compromised user accounts and unauthorized access. The injected scripts could also manipulate page content, redirect users to malicious sites, or perform actions on behalf of users, undermining data integrity. Additionally, the vulnerability could be leveraged to conduct further attacks such as privilege escalation or lateral movement within the affected environment. The availability impact is lower but still present, as malicious scripts could disrupt normal site functionality or cause denial of service conditions. Organizations using ci4ms versions prior to 0.31.0.0 are at risk, especially those with exposed administrative dashboards or public navigation menus. The critical CVSS score reflects the high potential damage and ease of exploitation, emphasizing the need for urgent remediation.

Organizations should immediately upgrade ci4ms installations to version 0.31.0.0 or later, where the vulnerability has been patched with proper input sanitization and output encoding. Until upgrading is possible, administrators should restrict access to the Menu Management functionality to trusted users only and monitor for suspicious activity in navigation menus and administrative dashboards. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads can provide temporary protection. Conduct thorough code reviews and penetration testing focusing on input validation and output encoding in all user input handling components. Educate developers and administrators about secure coding practices, especially regarding output encoding in web applications. Additionally, consider implementing Content Security Policy (CSP) headers to limit the impact of potential script injections. Regularly audit logs and monitor for anomalous behavior indicative of exploitation attempts. Finally, ensure that all third-party components and dependencies are kept up to date to reduce the attack surface.