CI4MS CMS Stored XSS (CVE-2026-34569)
CVE-2026-34569
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to proper...
Overview
A critical stored cross-site scripting (XSS) vulnerability has been identified in CI4MS, a CodeIgniter 4-based content management system skeleton. Tracked as CVE-2026-34569, this flaw allows an attacker with low-privileged access to inject malicious JavaScript into the platform, where it is stored and executed automatically for other users.
Vulnerability Details
The vulnerability exists in versions prior to 0.31.0.0. The application does not properly sanitize user input in the blog category title field. An attacker can submit a category title containing a malicious script. This payload is then stored in the database. Crucially, the application fails to apply proper output encoding when displaying these categories, causing the script to execute in victims’ browsers. The malicious code renders on public blog pages, administrative interfaces, and blog post views, making the attack vector widespread.
Impact
With a CVSS score of 9.9, the impact is severe. Attackers can hijack user sessions, deface websites, redirect users to malicious sites, or perform actions on behalf of authenticated users, including administrators. Since no user interaction is required (the payload executes automatically when a page loads), exploitation is straightforward and can lead to a full compromise of the CMS instance and potentially the underlying server. For context on how such web compromises can lead to data theft, recent incidents are detailed in our breach reports.
Remediation and Mitigation
The primary and mandatory action is to upgrade CI4MS to version 0.31.0.0 or later, which contains the necessary input validation and output encoding fixes.
If an immediate upgrade is not possible, implement the following temporary mitigations:
- Input Validation: Apply strict server-side validation to reject any category title containing HTML or JavaScript tags.
- Output Encoding: Ensure all dynamic content rendered from the database (especially category titles) is passed through a proper HTML encoding function before being sent to the browser.
- Review Logs: Audit application and web server logs for suspicious POST requests to category creation or editing endpoints.
## Security Insight
This vulnerability highlights the persistent risk in CMS frameworks that separate core functionality from theme/module output handling. Similar to past XSS issues in platforms like WordPress and Joomla, it underscores that a skeleton or “starter” CMS requires the same rigorous security review as a mature product, as developers often assume its modular foundation inherently manages basic sanitization. For the latest on evolving web application threats, follow our security news.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerab...
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerab...
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execu...
A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects...