CI4MS XSS Vulnerability (CVE-2026-34563)

Overview

A critical stored cross-site scripting (XSS) vulnerability, tracked as CVE-2026-34563, has been identified in CI4MS, a CodeIgniter 4-based content management system skeleton. The flaw allows attackers to inject malicious JavaScript that is permanently stored on the server and executed automatically in administrative panels. This vulnerability affects all versions prior to 0.31.0.0.

Vulnerability Details

The vulnerability exists in the backup management functionality. The system fails to properly validate and sanitize user-supplied input within backup filenames. Specifically, an attacker can upload a crafted SQL backup file (e.g., xss.sql) containing a malicious JavaScript payload. When the system processes this file, it unsafely inserts the payload into the database. Later, when an administrator views the list of backups in the control panel, the malicious script is rendered and executed in their browser without requiring any further interaction from the attacker. This is classified as a stored, or persistent, Blind XSS attack.

Impact

With a CVSS score of 9.1, this vulnerability poses a severe risk. Successful exploitation allows an attacker with low-privileged access (such as a contributor account) to execute arbitrary JavaScript in the context of an administrator’s session. This can lead to a complete compromise of the CMS administration, including theft of session cookies, redirection to malicious sites, defacement of websites, or the creation of new administrative accounts for persistent backdoor access. The attack is network-based and requires no user interaction, making it highly reliable for an attacker.

Remediation and Mitigation

The primary and definitive remediation is to immediately upgrade CI4MS to version 0.31.0.0 or later, which contains the necessary patches for input sanitization and output encoding.

If an immediate upgrade is not possible, consider these temporary mitigation steps:

• Restrict access to the backup upload and management interfaces to only strictly necessary, trusted administrators.
• Implement a Web Application Firewall (WAF) rule to block HTTP requests containing obvious script tags or JavaScript event handlers in file upload parameters.
• Conduct a review of application logs for any unusual uploads of .sql backup files from untrusted sources.

For organizations investigating potential compromises, data breach reports are available at breach reports.

Security Insight

This vulnerability highlights the persistent risk of “second-order” injection attacks, where malicious input is stored via one feature (SQL backup processing) and executed in the context of another (the management UI). It mirrors past incidents in popular CMS platforms where admin functionality was compromised through similarly overlooked data flows, underscoring that security testing must follow data across all application modules, not just direct user-facing endpoints. Stay informed on such evolving threats through our security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs