CI4MS CMS Stored XSS (CVE-2026-34567)

Overview

A critical stored cross-site scripting (XSS) vulnerability, tracked as CVE-2026-34567, has been identified in CI4MS, a CodeIgniter 4-based content management system skeleton. The flaw allows an attacker with low-privilege access to inject malicious JavaScript into the platform, which is then automatically executed when other users view affected content. This vulnerability is present in all versions prior to 0.31.0.0.

Vulnerability Details

The vulnerability exists within the blog post Categories management section. The application does not properly validate or sanitize user-supplied input when creating or editing category content. An attacker can submit a crafted payload containing JavaScript code. This malicious payload is then stored permanently on the server database. When any user, including administrators, later views a blog post associated with the compromised category, the payload is rendered directly in their browser without proper output encoding, triggering the script execution.

Impact

With a CVSS score of 9.1, this vulnerability poses a severe risk. Successful exploitation can lead to session hijacking, where an attacker steals authenticated session cookies to impersonate legitimate users or administrators. This could result in unauthorized content modification, data theft, or a complete site takeover. The attack requires low privileges and no user interaction, making it highly reliable for an attacker who has gained a basic user account. For context on the real-world damage such attacks can cause, review recent incidents in our breach reports.

Remediation and Mitigation

The primary and definitive solution is to upgrade CI4MS to version 0.31.0.0 or later immediately. The patch introduces proper input sanitization and context-aware output encoding for category content.

If an immediate upgrade is not possible, consider these temporary mitigation steps:

1. Review User Accounts: Audit and review all user accounts with content creation privileges. Remove any suspicious or unnecessary accounts.
2. Manual Sanitization: Manually inspect and clean any existing category content in the database for suspicious scripts or HTML attributes.
3. Web Application Firewall (WAF): Deploy or configure a WAF rule to block requests containing common XSS payloads targeting the categories endpoint. Note that this is not a substitute for patching.

Security Insight

This vulnerability highlights the persistent risk in modular CMS frameworks where core security controls can be inadvertently bypassed in custom modules. It mirrors a common pattern seen in many CMS-related security news stories: robust framework-level protections are nullified by a single unsanitized field in an administrative panel. The high CVSS score for an XSS flaw underscores how low-privilege, non-interactive stored XSS in a core content feature is functionally equivalent to a privilege escalation vector, granting attackers immediate access to higher-level sessions.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs