← Back to CVEs
CVE-2026-34560
CRITICAL9.1
Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0.
CVE Details
CVSS v3.1 Score9.1
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published4/1/2026
Last Modified4/3/2026
Sourcenvd
Honeypot Sightings0
Weaknesses (CWE)
CWE-79
References
https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0(security-advisories@github.com)
https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4(security-advisories@github.com)
https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.