CVE-2026-35035

HIGH

7.2

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0 , the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. These values are persisted in the database and rendered unsafely on public-facing pages only, such as the main landing page. There is no execution in the administrative dashboard—the vulnerability only impacts the public frontend. This vulnerability is fixed in 0.31.2.0.

Details CVE

Score CVSS v3.17.2

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisHIGH

Interaction utilisateurNONE

Publie4/6/2026

Derniere modification4/6/2026

Sourcenvd

Observations honeypot0

Faiblesses (CWE)

CWE-79

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5ghq-42rg-769x(security-advisories@github.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.