Stored DOM-Based Cross-Site Scripting in CI4MS CMS by CodeIgniter 4
CVE-2026-34558
9.1CRITICAL
What is CVE-2026-34558?
CI4MS, a modular CMS built on CodeIgniter 4, contains a vulnerability in its Methods Management functionality which improperly sanitizes user input. This oversight allows attackers to introduce and store malicious JavaScript payloads within multiple input fields. When these payloads are rendered within the administrative interfaces or global navigation components, they execute without proper output encoding, exposing the application to Stored DOM-Based Cross-Site Scripting (XSS) attacks. Users are strongly encouraged to upgrade to version 0.31.0.0 or later to mitigate this security risk.
Affected Version(s)
ci4ms < 0.31.0.0