Stored Cross-Site Scripting Vulnerability in CI4MS CMS by CodeIgniter
CVE-2026-34568

9.1CRITICAL

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 1 April 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-34568?

The CI4MS CMS, built on CodeIgniter 4, suffers from a stored cross-site scripting vulnerability due to inadequate sanitization of user-controlled input in blog posts. Prior to version 0.31.0.0, an attacker can exploit this flaw to inject malicious JavaScript into blog content. The harmful payload is saved on the server and later displayed unsafely across various application views. Proper output encoding measures were not implemented, resulting in a risk of user data compromise and session hijacking. Users are encouraged to update to version 0.31.0.0 to mitigate this threat.

Affected Version(s)

ci4ms < 0.31.0.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34568 Data

JSON