Compliance Impact

The vulnerability allows attackers to execute arbitrary JavaScript in the context of other users, including administrators, leading to session hijacking, privilege escalation, and full account takeover.

Such a compromise can lead to unauthorized access to sensitive personal data, which may violate data protection regulations like GDPR and HIPAA that require safeguarding personal information against unauthorized access and ensuring data integrity.

Therefore, this vulnerability poses a significant risk to compliance with these standards by potentially exposing personal data and compromising system integrity.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-34989 is a critical stored cross-site scripting (XSS) vulnerability in the CI4MS CodeIgniter 4-based CMS. It occurs because the application does not properly sanitize user-controlled input when users update their profile name (such as full name or username).

An attacker can inject malicious JavaScript code into their profile name, which is then stored on the server. This malicious code is later rendered unsafely in multiple parts of the application without proper encoding, causing the script to execute in the browsers of other users who view these pages.

This stored XSS affects both normal users and administrators, potentially allowing attackers to hijack sessions, escalate privileges, and take over admin accounts, leading to full compromise of the application.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including:

• Execution of arbitrary JavaScript code in the browsers of users and administrators.
• Session hijacking, allowing attackers to steal user sessions.
• Privilege escalation, enabling attackers to gain administrative rights.
• Full account takeover of administrator accounts.
• Complete compromise of the application, affecting confidentiality, integrity, and availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if user profile names (full name/username) contain malicious JavaScript payloads that are stored and rendered unsafely in the application.

One approach is to inspect the profile name fields in the database or through the application interface for suspicious scripts such as <img src=x onerror=alert(document.domain)> or other JavaScript event handlers.

Additionally, monitoring HTTP requests to the profile update endpoint (/backend/users/profile/) for payloads containing script tags or event handlers can help detect exploitation attempts.

Suggested commands include querying the database for profile names containing script tags or suspicious attributes, for example using SQL:

• SELECT * FROM users WHERE profile_name LIKE '%<script%' OR profile_name LIKE '%onerror=%' OR profile_name LIKE '%<img%';

Also, using web application security scanners or manual testing tools to attempt injecting scripts into profile name fields and observing if they execute when rendered can help confirm the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the ci4ms package to version 31.0.0.0 or later, where the vulnerability is fixed.

Until the upgrade can be applied, avoid using unsafe JavaScript methods such as .html() or innerHTML-like functions that directly inject user input into the DOM without encoding.

Implement strict HTML encoding and sanitization of all user inputs before storage and ensure output encoding is consistently applied across all endpoints where user-controlled data is displayed.

Additionally, review and sanitize existing stored profile names to remove any malicious scripts.

Restrict user privileges to minimize the risk of attackers injecting malicious payloads and monitor user profile update activities for suspicious inputs.

Useful 0 Not Useful 0