Input Sanitization Flaw in CodeIgniter 4-based CMS from CI4MS
CVE-2026-34562

4.7MEDIUM

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 1 April 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-34562?

CI4MS, a Content Management System built on CodeIgniter 4, contains a significant flaw in the handling of user-controlled input within the System Settings - Company Information section. Prior to the update to version 0.31.0.0, several administrative fields failed to properly sanitize input, allowing potential attackers to inject harmful data. This unsanitized data is stored on the server and later rendered without appropriate output encoding, exposing the system to various injection attacks. This critical issue was addressed in the release of version 0.31.0.0, highlighting the importance of rigorous input validation and output encoding in web applications.

Affected Version(s)

ci4ms < 0.31.0.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34562 Data

JSON