Stored Cross-Site Scripting Vulnerability in CI4MS CMS by CodeIgniter
CVE-2026-34557

9.1CRITICAL

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 30 March 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-34557?

The CI4MS CMS, built on the CodeIgniter 4 framework, suffers from a vulnerability related to improper sanitization of user-controlled input in its group and role management modules. Prior to the release of version 0.31.0.0, multiple input fields intended for managing groups were susceptible to injection of malicious JavaScript, which could be stored server-side. This security flaw permitted the unsafe rendering of these payloads in administrative views, allowing for stored cross-site scripting (XSS) attacks in sensitive areas such as role and permission management. Users are encouraged to update to version 0.31.0.0 or later to mitigate this risk.

Affected Version(s)

ci4ms < 0.31.0.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34557 Data

JSON