CI4MS CMS Stored XSS (CVE-2026-34571)
CVE-2026-34571
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, a Stored Cross-Site Scripting (...
Overview
A critical stored cross-site scripting (XSS) vulnerability, tracked as CVE-2026-34571, has been identified in CI4MS, a CodeIgniter 4-based content management system skeleton. The flaw resides in the backend user management module, where the application fails to properly validate and sanitize user input before displaying it in the administrative interface. This allows malicious scripts to be permanently stored and automatically executed.
Vulnerability Details
The vulnerability has a CVSS v3.1 score of 9.9 (CRITICAL). The attack vector is network-based, requires low attack complexity and low privileges, and needs no user interaction to be exploited. An attacker with minimal access, such as a low-privileged backend user account, can inject malicious JavaScript payloads into the system. These payloads are then stored and automatically execute whenever an administrator or other privileged user views the compromised management page.
Impact
Successful exploitation of this stored XSS flaw can lead to severe consequences for the affected CMS installation. The primary risks include session hijacking of administrative accounts, privilege escalation to gain full system control, and complete compromise of the backend administrative interface. This could allow an attacker to deface websites, steal sensitive data, or establish a persistent foothold within the network. For more on the consequences of such attacks, recent data breach reports are available at breach reports.
Remediation and Mitigation
The vendor has released a patch in CI4MS version 0.31.0.0. All users of versions prior to 0.31.0.0 must upgrade immediately. There is no effective workaround; patching is the only complete solution. As a precaution, administrators should audit user accounts for any suspicious activity and review audit logs for unexpected modifications in the user management section. Staying informed on such vulnerabilities is crucial; you can follow related cybersecurity news at security news.
Security Insight
This vulnerability highlights the persistent risk of XSS in administrative interfaces, even in modern frameworks like CodeIgniter 4. It serves as a reminder that foundational security controls like output encoding must be consistently applied across all application layers, including backend panels trusted by administrators. The high CVSS score, driven by the “no user interaction” requirement, underscores how stored XSS in a management console transforms a common web flaw into a direct path for full system takeover.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerab...
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerab...
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execu...
A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects...