CVE-2026-35035
Stored Cross-Site Scripting in CI4MS System Settings
Publication date: 2026-04-06
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ci4-cms-erp | ci4ms | to 0.31.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows persistent Cross-Site Scripting (XSS) attacks that can lead to arbitrary script execution on public-facing pages, potentially resulting in full account takeover and platform compromise.
Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of user data and prevention of unauthorized access or data breaches.
Failure to properly sanitize and encode user input, leading to XSS vulnerabilities, may result in unauthorized disclosure or manipulation of personal data, violating confidentiality and integrity requirements mandated by these regulations.
Therefore, this vulnerability poses a risk to compliance by exposing sensitive user information and undermining data protection controls required under GDPR, HIPAA, and similar standards.
Can you explain this vulnerability to me?
CVE-2026-35035 is a high-severity Stored DOM Cross-Site Scripting (XSS) vulnerability in the CI4MS CodeIgniter 4-based CMS. It occurs because the application fails to properly sanitize user-controlled input in several administrative configuration fields under System Settings β Company Information, such as Company Name, Slogan, Phone, Email, and media-related inputs.
The malicious input is stored in the database and later rendered without proper output encoding on public-facing pages like the main landing page. This allows an attacker to inject persistent JavaScript payloads that execute automatically in the browsers of visitors to the public site.
The vulnerability does not affect the administrative dashboard itself but only the public frontend. It is fixed in version 0.31.2.0.
How can this vulnerability impact me? :
This vulnerability can lead to persistent cross-site scripting attacks, allowing attackers to execute arbitrary JavaScript in the browsers of users visiting the affected public pages.
Potential impacts include full account takeover if cookies lack proper security flags, and full platform compromise for any user interacting with the affected pages.
Because the attack vector is network-based and requires high privileges to inject the payload, the risk is significant for users accessing the public site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious JavaScript payloads injected into the System Settings β Company Information fields such as Company Name, Slogan, Phone, Mobile, Email, Google Maps iframe link, and Company Logo.
One approach is to inspect the backend settings endpoint (/backend/settings/) for suspicious input containing script tags or event handlers like onerror.
Additionally, reviewing the public-facing pages, especially the main landing page, for unexpected script execution or injected HTML can help identify exploitation.
While no specific commands are provided, you can use tools like curl or wget to fetch the backend settings page and grep for suspicious patterns, for example:
- curl -s -k https://yourdomain.com/backend/settings/ | grep -iE '<script|onerror|<img'
- Review database entries for the affected fields for injected payloads using SQL queries, e.g., SELECT statements filtering for suspicious strings.
Monitoring HTTP responses on public pages for unexpected script tags or event handlers can also be done using browser developer tools or automated scanners.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the ci4ms package to version 0.31.2.0 or later, where this vulnerability is fixed.
Avoid using unsafe JavaScript sinks such as .html() or innerHTML-like functions that render untrusted input without proper encoding.
Implement thorough HTML encoding and input sanitization on all user-controlled inputs, especially those in the System Settings β Company Information fields.
Apply security headers such as Content Security Policy (CSP) to restrict the execution of unauthorized scripts.
Set HttpOnly, SameSite, and Secure flags on cookies to reduce the risk of cookie theft and Cross-Site Request Forgery (CSRF) attacks.