CI4MS CMS XSS Vulnerability (CVE-2026-34566)

Overview

A critical stored cross-site scripting (XSS) vulnerability, identified as CVE-2026-34566, affects the CI4MS CMS skeleton built on CodeIgniter 4. The flaw exists in the Page Management module, where multiple input fields fail to properly sanitize user input. This allows attackers to inject malicious JavaScript code, which is then stored on the server and executed automatically when the page is viewed, requiring no further interaction from the victim.

Technical Details

The vulnerability is located in the functionality for creating and editing pages. User-supplied data in several input fields is not neutralized before being stored in the database. When these pages are rendered-both in the administrative interface page lists and on the public-facing website-the malicious scripts are executed without proper output encoding. This constitutes a stored DOM-based XSS attack. The attack complexity is low, requires low-level privileges to exploit, and can be performed over the network with no user interaction.

Impact and Risk

With a CVSS score of 9.1, this vulnerability poses a severe risk. An attacker with minimal privileges, such as a low-level editor account, could inject a script that hijacks administrative sessions, leading to a full compromise of the CMS backend. On the public site, the same flaw could be used to steal visitors’ session cookies or credentials, redirect them to malicious sites, or deface the website. Successful exploitation could serve as an initial access vector for a larger data breach. For context on the damage caused by such web compromises, recent incidents are detailed in our breach reports.

Remediation and Mitigation

The primary and mandatory action is to upgrade CI4MS to version 0.31.0.0 or later, which contains the necessary patches. If an immediate upgrade is not possible, consider the following temporary mitigations:

• Input Validation: Implement strict server-side validation on all Page Management fields to reject any input containing HTML or JavaScript tags.
• Output Encoding: Ensure all dynamic content rendered from the database is properly HTML-encoded before being output to the browser.
• Content Security Policy (CSP): Deploy a strict CSP header to significantly reduce the impact of any successful XSS payloads by blocking unauthorized script execution. Administrators should audit user accounts and review all existing page content for signs of tampering.

Security Insight

This vulnerability highlights a persistent gap in the security of many modern CMS frameworks: the assumption that modular, “skeleton” architectures inherently handle core security functions like input sanitization. Similar to past incidents in other popular CMS platforms, it shows that foundational security controls must be explicitly implemented and tested in each module, not just inherited from the underlying framework. For ongoing coverage of such web application threats, follow our security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs