{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34559", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:31:39.265Z", "datePublished": "2026-04-01T21:20:51.450Z", "dateUpdated": "2026-04-02T16:23:56.044Z"}, "containers": {"cna": {"title": "CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245"}, {"name": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"}], "affected": [{"vendor": "ci4-cms-erp", "product": "ci4ms", "versions": [{"version": "< 0.31.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T21:20:51.450Z"}, "descriptions": [{"lang": "en", "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog tags. An attacker can inject a malicious JavaScript payload into the tag name field, which is then stored server-side. This stored payload is later rendered unsafely across public tag pages and administrative interfaces without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0."}], "source": {"advisory": "GHSA-4333-387x-w245", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:12:43.806600Z", "id": "CVE-2026-34559", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:23:56.044Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*", "matchCriteriaId": "805F6B8A-9324-4CA4-BADE-439CC15DA14C", "versionEndExcluding": "0.31.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog tags. An attacker can inject a malicious JavaScript payload into the tag name field, which is then stored server-side. This stored payload is later rendered unsafely across public tag pages and administrative interfaces without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0."}], "id": "CVE-2026-34559", "lastModified": "2026-04-13T18:02:00.033", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-01T22:16:18.780", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.31.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ci4ms", "source": "cna", "vendor": "ci4-cms-erp"}, "product": "ci4ms", "vendor": "ci4-cms-erp"}], "analysis": {"en": {"generated_at": "2026-04-13T20:51:31.575529+00:00", "value": {"mitigation_remediation": ["Upgrade CI4MS to version 0.31.0.0 or later.", "If an upgrade cannot be performed immediately, disable the ability to create or edit blog tags to prevent further injection.", "Apply strict input validation and output encoding to all tag fields to guard against future XSS vulnerabilities."], "summary": {"action": "Patch/Upgrade", "impact": "Stored cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "The flaw is present in any CI4MS installation supplied by ci4\u2011cms\u2011erp that is running a version earlier than 0.31.0.0. The 0.31.0.0 release includes the patch that sanitizes tag input and correctly encodes rendered output. Existing deployments that have not applied this update remain vulnerable.", "description_and_impact": "The vulnerability originates from user input in the blog tag name field that is neither validated nor sanitized. Malicious JavaScript can be injected and stored on the server, then later rendered unsafely on public tag pages and in administrative views. Because the code executes in the victim\u2019s browser context, an attacker can harvest session cookies, perform credential phishing, or redirect the user to malicious sites. This flaw is a classic stored XSS vulnerability (CWE\u201179).", "risk_and_exploitability": "The base CVSS score of 9.1 indicates critical severity. The EPSS probability is below 1\u202f% and the vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog, suggesting that widespread exploitation has not been observed. The likely attack vector is a legitimate web interface that accepts tag names. Based on the description, it is inferred that an attacker must have permission to create or edit blog tags. Once a malicious tag is accessed by a user, the injected script runs in that user\u2019s browser environment, potentially enabling credential theft, session hijacking, or other client\u2011side attacks. No server\u2011side code execution or direct bypass of authentication controls is documented."}}}}, "created": "2026-04-02T07:47:24.364044+00:00", "updated": "2026-04-14T16:42:05.579853+00:00", "vendors": ["ci4-cms-erp", "ci4-cms-erp$PRODUCT$ci4ms"]}