Stored DOM-based Cross-Site Scripting in CodeIgniter 4 CMS by CI4MS
CVE-2026-34564

9.1CRITICAL

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 1 April 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-34564?

CI4MS, a content management system built on CodeIgniter 4, had a security flaw in its Menu Management functionality before version 0.31.0.0. This vulnerability stemmed from the inadequate sanitation of user-controlled input when adding pages to navigation menus. The page-related data, stored server-side, was rendered without proper output encoding, allowing malicious actors to inject scripts. These scripts could be executed in the context of the application, leading to stored DOM-based cross-site scripting (XSS) attacks, exploiting administrative interfaces and public navigation menus. The issue was rectified in version 0.31.0.0.

Affected Version(s)

ci4ms < 0.31.0.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34564 Data

JSON