CVE-2026-34562
Stored Cross-Site Scripting in CI4MS System Settings Module
Publication date: 2026-04-01
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ci4-cms-erp | ci4ms | to 0.31.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The issue is that the application does not properly sanitize user-controlled input within the System Settings β Company Information section. Several administrative configuration fields accept input from attackers that is stored on the server and later displayed without proper output encoding.
How can this vulnerability impact me? :
Because the application stores and renders attacker-controlled input without proper encoding, it can lead to security issues such as cross-site scripting (XSS). This can allow attackers to execute malicious scripts in the context of the application, potentially leading to data leakage, unauthorized actions, or disruption of service.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in CI4MS version 0.31.0.0. To mitigate this vulnerability, you should upgrade your CI4MS installation to version 0.31.0.0 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves improper sanitization of user-controlled input in administrative configuration fields, which could lead to stored data being rendered without proper output encoding.
Such issues can potentially lead to data integrity and confidentiality concerns, which may impact compliance with standards like GDPR and HIPAA that require protection of sensitive information and prevention of unauthorized data manipulation.
However, specific impacts on compliance are not detailed in the provided information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious JavaScript payloads injected into the administrative configuration fields within the System Settings β Company Information section of the CI4MS application, specifically versions up to 0.28.6.0.
Since the exploit involves stored DOM-based Cross-Site Scripting (XSS), detection involves inspecting the input fields such as Company Name, Slogan, Phone, Mobile, Email, Google Maps iframe link, Company Logo, and other media-related fields for suspicious or malformed HTML/JavaScript code.
You can detect exploitation attempts by monitoring HTTP requests to the endpoint `/backend/settings/` for payloads that break out of HTML attributes and include script execution, for example payloads containing `onerror=alert()` or similar event handlers.
Suggested commands to detect such payloads include:
- Using grep to search server-side stored configuration files or database dumps for suspicious script tags or event handlers: `grep -i -r --include='*.php' 'onerror=' /path/to/ci4ms`
- Using curl or wget to fetch the settings page and inspect the response for injected scripts: `curl -s -b cookies.txt https://your-ci4ms-instance/backend/settings/ | grep -i 'onerror'`
- Reviewing web server logs for POST requests to `/backend/settings/` containing suspicious payloads: `grep '/backend/settings/' /var/log/nginx/access.log | grep -i 'onerror'`
Additionally, monitoring backend user activity logs (if Audit Trail is enabled as in version 0.31.0.0 and later) can help identify suspicious administrative actions related to settings changes.