CVE-2026-34560
Blind Stored XSS in CI4MS Logs Allows Admin Compromise
Publication date: 2026-04-01
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ci4-cms-erp | ci4ms | to 0.31.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The application unsafely renders user-controlled input within its logs interface without proper output encoding. If an attacker manages to store a Cross-Site Scripting (XSS) payload in the logged data, it will not execute immediately but will execute later when an administrator views the logs page. This type of vulnerability is known as Blind XSS.
How can this vulnerability impact me? :
The vulnerability can lead to a high-severity security issue where an attacker can execute malicious scripts in the context of an administrator's browser when they view the logs. This can result in unauthorized actions such as data theft, privilege escalation, or disruption of service. Because the attack is triggered later and not immediately visible to the attacker, it can be harder to detect and mitigate.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the CI4MS application to version 0.31.0.0 or later, where the issue has been patched.
Additionally, avoid rendering user-controlled input unsafely within the logs interface to prevent stored Blind XSS attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in CI4MS allows stored Cross-Site Scripting (XSS) payloads to be executed when an administrator views the logs. This can lead to unauthorized code execution and potential compromise of administrative functions.
Such a security flaw can impact compliance with standards like GDPR and HIPAA because it may lead to unauthorized access or disclosure of sensitive personal or health information, violating data protection and privacy requirements.
Additionally, the vulnerability's high CVSS score (9.1) and its impact on confidentiality, integrity, and availability highlight the risk of non-compliance due to insufficient protection against injection attacks and improper handling of user input.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of stored XSS payloads within the application logs, especially payloads injected via user inputs that get logged unsafely.
One approach is to inspect the logs for suspicious entries containing typical XSS payload patterns such as <img src=x onerror=alert(document.domain)> or other JavaScript event handlers embedded in logged data.
Since the vulnerability involves the logs interface rendering user-controlled input unsafely, you can also test by injecting benign XSS payloads into inputs that are logged and then reviewing the logs page as an administrator to see if the payload executes.
- Use grep or similar commands to search log files for common XSS payload patterns, for example: grep -iE '<script|onerror|onload|alert|img src=' /path/to/logs/*
- Manually review the logs interface in the application as an administrator to observe if any stored payloads execute.
- Attempt to trigger errors that cause user input to be logged, such as accessing endpoints like /backend/backup/restore/<payload> with XSS payloads, then check if these payloads appear unsanitized in the logs.