CVE-2026-34560
Received Received - Intake
Blind Stored XSS in CI4MS Logs Allows Admin Compromise

Publication date: 2026-04-01

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34560
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ci4-cms-erp ci4ms to 0.31.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking for the presence of stored XSS payloads within the application logs, especially payloads injected via user inputs that get logged unsafely.

One approach is to inspect the logs for suspicious entries containing typical XSS payload patterns such as <img src=x onerror=alert(document.domain)> or other JavaScript event handlers embedded in logged data.

Since the vulnerability involves the logs interface rendering user-controlled input unsafely, you can also test by injecting benign XSS payloads into inputs that are logged and then reviewing the logs page as an administrator to see if the payload executes.

  • Use grep or similar commands to search log files for common XSS payload patterns, for example: grep -iE '<script|onerror|onload|alert|img src=' /path/to/logs/*
  • Manually review the logs interface in the application as an administrator to observe if any stored payloads execute.
  • Attempt to trigger errors that cause user input to be logged, such as accessing endpoints like /backend/backup/restore/<payload> with XSS payloads, then check if these payloads appear unsanitized in the logs.
Executive Summary

This vulnerability exists in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The application unsafely renders user-controlled input within its logs interface without proper output encoding. If an attacker manages to store a Cross-Site Scripting (XSS) payload in the logged data, it will not execute immediately but will execute later when an administrator views the logs page. This type of vulnerability is known as Blind XSS.

Impact Analysis

The vulnerability can lead to a high-severity security issue where an attacker can execute malicious scripts in the context of an administrator's browser when they view the logs. This can result in unauthorized actions such as data theft, privilege escalation, or disruption of service. Because the attack is triggered later and not immediately visible to the attacker, it can be harder to detect and mitigate.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the CI4MS application to version 0.31.0.0 or later, where the issue has been patched.

Additionally, avoid rendering user-controlled input unsafely within the logs interface to prevent stored Blind XSS attacks.

Compliance Impact

The vulnerability in CI4MS allows stored Cross-Site Scripting (XSS) payloads to be executed when an administrator views the logs. This can lead to unauthorized code execution and potential compromise of administrative functions.

Such a security flaw can impact compliance with standards like GDPR and HIPAA because it may lead to unauthorized access or disclosure of sensitive personal or health information, violating data protection and privacy requirements.

Additionally, the vulnerability's high CVSS score (9.1) and its impact on confidentiality, integrity, and availability highlight the risk of non-compliance due to insufficient protection against injection attacks and improper handling of user input.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34560. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart