CVE-2026-34557
Received Received - Intake
Stored XSS in CI4MS Role and Group Management Components

Publication date: 2026-03-30

Last updated on: 2026-04-06

Assigner: GitHub, Inc.

Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within group and role management functionality. Multiple input fields (three distinct group-related fields) can be injected with malicious JavaScript payloads, which are then stored server-side. These stored payloads are later rendered unsafely within privileged administrative views without proper output encoding, leading to stored cross-site scripting (XSS) within the role and permission management context. This issue has been patched in version 0.31.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-06
Generated
2026-05-07
AI Q&A
2026-03-31
EPSS Evaluated
2026-05-05
NVD
CVE-2026-34557
EUVD
EUVD-2026-17213
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ci4-cms-erp ci4ms to 0.31.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. It fails to properly sanitize user-controlled input within its group and role management functionality. Specifically, multiple input fields related to groups can be injected with malicious JavaScript payloads. These payloads are stored on the server and later rendered unsafely in privileged administrative views without proper output encoding. This leads to stored cross-site scripting (XSS) attacks within the role and permission management context.


How can this vulnerability impact me? :

This vulnerability can allow attackers to execute malicious JavaScript code in the context of privileged administrative users. Because the malicious scripts are stored and rendered in administrative views, attackers could potentially hijack administrator sessions, steal sensitive information, manipulate roles and permissions, or perform other unauthorized actions within the CMS.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in CI4MS version 0.31.0.0. Immediate mitigation involves upgrading the application to version 0.31.0.0 or later.

Since the issue involves stored cross-site scripting (XSS) in group and role management functionality, avoid using or granting access to these features until the upgrade is applied.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows stored cross-site scripting (XSS) attacks that can lead to arbitrary JavaScript execution in administrator browsers, privilege escalation, and full administrator account takeover. This can result in unauthorized access to sensitive data and compromise of application integrity and availability.

Such security breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring confidentiality, integrity, and availability of systems. Failure to properly sanitize inputs and prevent XSS can lead to data breaches and unauthorized data exposure, potentially violating these regulations.

Mitigation measures recommended include strict input sanitization, output encoding, and implementation of security headers (Content Security Policy, HttpOnly, SameSite, Secure flags) to reduce the risk of XSS and related attacks, thereby supporting compliance efforts.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by inspecting the group and role management input fields for stored malicious JavaScript payloads. Specifically, check the three distinct group-related input fields where user input is stored and later rendered unsafely in administrative views.

One practical approach is to manually test or scan the affected endpoints, such as the administrative interface at /backend/users/groupList/, by injecting benign test scripts (e.g., <img src=x onerror=alert(1)>) into group creation or editing forms and then verifying if the payload executes when viewed by an administrator.

Automated scanning tools or custom scripts can be used to detect stored XSS by submitting payloads to the relevant input fields and monitoring the responses or administrative views for execution.

Since this is a web application vulnerability, network-level detection commands are limited, but you can monitor HTTP requests and responses for suspicious payloads or unexpected script tags in responses from the group and role management endpoints.

  • Use curl or similar tools to submit test payloads to group-related input fields, for example:
  • curl -X POST -d 'groupName=<img src=x onerror=alert(1)>' https://your-ci4ms-instance/backend/users/groupCreate/
  • After injection, access the administrative group list page to check if the payload executes:
  • curl -b cookies.txt https://your-ci4ms-instance/backend/users/groupList/
  • Use browser developer tools or automated scanners to detect execution of injected scripts in the admin interface.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart