CVE-2026-35035
Received Received - Intake
Stored Cross-Site Scripting in CI4MS System Settings

Publication date: 2026-04-06

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. These values are persisted in the database and rendered unsafely on public-facing pages only, such as the main landing page. There is no execution in the administrative dashboardβ€”the vulnerability only impacts the public frontend. This vulnerability is fixed in 0.31.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35035
EUVD
EUVD-2026-19374
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ci4-cms-erp ci4ms to 0.31.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking for the presence of malicious JavaScript payloads injected into the System Settings – Company Information fields such as Company Name, Slogan, Phone, Mobile, Email, Google Maps iframe link, and Company Logo.

One approach is to inspect the backend settings endpoint (/backend/settings/) for suspicious input containing script tags or event handlers like onerror.

Additionally, reviewing the public-facing pages, especially the main landing page, for unexpected script execution or injected HTML can help identify exploitation.

While no specific commands are provided, you can use tools like curl or wget to fetch the backend settings page and grep for suspicious patterns, for example:

  • curl -s -k https://yourdomain.com/backend/settings/ | grep -iE '<script|onerror|<img'
  • Review database entries for the affected fields for injected payloads using SQL queries, e.g., SELECT statements filtering for suspicious strings.

Monitoring HTTP responses on public pages for unexpected script tags or event handlers can also be done using browser developer tools or automated scanners.

Mitigation Strategies

Immediate mitigation steps include upgrading the ci4ms package to version 0.31.2.0 or later, where this vulnerability is fixed.

Avoid using unsafe JavaScript sinks such as .html() or innerHTML-like functions that render untrusted input without proper encoding.

Implement thorough HTML encoding and input sanitization on all user-controlled inputs, especially those in the System Settings – Company Information fields.

Apply security headers such as Content Security Policy (CSP) to restrict the execution of unauthorized scripts.

Set HttpOnly, SameSite, and Secure flags on cookies to reduce the risk of cookie theft and Cross-Site Request Forgery (CSRF) attacks.

Compliance Impact

The vulnerability allows persistent Cross-Site Scripting (XSS) attacks that can lead to arbitrary script execution on public-facing pages, potentially resulting in full account takeover and platform compromise.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of user data and prevention of unauthorized access or data breaches.

Failure to properly sanitize and encode user input, leading to XSS vulnerabilities, may result in unauthorized disclosure or manipulation of personal data, violating confidentiality and integrity requirements mandated by these regulations.

Therefore, this vulnerability poses a risk to compliance by exposing sensitive user information and undermining data protection controls required under GDPR, HIPAA, and similar standards.

Executive Summary

CVE-2026-35035 is a high-severity Stored DOM Cross-Site Scripting (XSS) vulnerability in the CI4MS CodeIgniter 4-based CMS. It occurs because the application fails to properly sanitize user-controlled input in several administrative configuration fields under System Settings – Company Information, such as Company Name, Slogan, Phone, Email, and media-related inputs.

The malicious input is stored in the database and later rendered without proper output encoding on public-facing pages like the main landing page. This allows an attacker to inject persistent JavaScript payloads that execute automatically in the browsers of visitors to the public site.

The vulnerability does not affect the administrative dashboard itself but only the public frontend. It is fixed in version 0.31.2.0.

Impact Analysis

This vulnerability can lead to persistent cross-site scripting attacks, allowing attackers to execute arbitrary JavaScript in the browsers of users visiting the affected public pages.

Potential impacts include full account takeover if cookies lack proper security flags, and full platform compromise for any user interacting with the affected pages.

Because the attack vector is network-based and requires high privileges to inject the payload, the risk is significant for users accessing the public site.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35035. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart