anonhaven
Ad

CVE-2026-34562

CRITICAL CVSS 3.1: 9.0 EPSS 0.02%
Updated Apr 09, 2026
Ci4Ms
Parameter Value
CVSS 9.0 (CRITICAL)
Affected Versions before 0.31.0.0
Fixed In 0.31.0.0
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Ci4Ms
Public PoC No

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding.

This issue has been patched in version 0.31.0.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Ci4-Cms-Erp Ci4ms
cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*
 0.31.0.0

References 2

https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
security-advisories@github.com
https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v897-c6vq-6cr3
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-35035

Ci4Ms

7.2

CVE-2026-34572

Ci4-Cms-Erp

8.8

CVE-2026-34571

Ci4-Cms-Erp

9.0

CVE-2026-34570

Ci4-Cms-Erp

8.8

CVE-2026-34566

Ci4-Cms-Erp

9.0