Stored Cross-Site Scripting Vulnerability in CI4MS by CodeIgniter 4
CVE-2026-34989

9.4CRITICAL

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 6 April 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-34989?

The CI4MS application, a Content Management System built on CodeIgniter 4, is vulnerable to stored cross-site scripting (XSS) attacks. This vulnerability arises from improper sanitization of user-controlled input during profile updates, where an attacker can inject malicious JavaScript into their full name or username fields. This payload is then stored server-side and can be rendered unsafely across multiple views of the application, putting users at risk of exploitation. The issue has been addressed and resolved in version 31.0.0.0, which emphasizes the importance of proper output encoding and input validation.

Affected Version(s)

ci4ms < 31.0.0.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34989 Data

JSON