{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34566", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:56:30.997Z", "datePublished": "2026-04-01T21:27:01.492Z", "dateUpdated": "2026-04-04T03:15:36.218Z"}, "containers": {"cna": {"title": "CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-458r-h248-29c5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-458r-h248-29c5"}, {"name": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"}], "affected": [{"vendor": "ci4-cms-erp", "product": "ci4ms", "versions": [{"version": "< 0.31.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T21:27:01.492Z"}, "descriptions": [{"lang": "en", "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Page Management functionality when creating or editing pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side. These stored values are later rendered without proper output encoding across administrative page lists and public-facing page views, leading to stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0."}], "source": {"advisory": "GHSA-458r-h248-29c5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-04T03:15:25.339413Z", "id": "CVE-2026-34566", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:15:36.218Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34566", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-04T03:15:25.339413Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:15:30.419Z"}}], "cna": {"title": "CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS", "source": {"advisory": "GHSA-458r-h248-29c5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ci4-cms-erp", "product": "ci4ms", "versions": [{"status": "affected", "version": "< 0.31.0.0"}]}], "references": [{"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-458r-h248-29c5", "name": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-458r-h248-29c5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "name": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Page Management functionality when creating or editing pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side. These stored values are later rendered without proper output encoding across administrative page lists and public-facing page views, leading to stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T21:27:01.492Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34566", "state": "PUBLISHED", "dateUpdated": "2026-04-04T03:15:36.218Z", "dateReserved": "2026-03-30T16:56:30.997Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-01T21:27:01.492Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*", "matchCriteriaId": "805F6B8A-9324-4CA4-BADE-439CC15DA14C", "versionEndExcluding": "0.31.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Page Management functionality when creating or editing pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side. These stored values are later rendered without proper output encoding across administrative page lists and public-facing page views, leading to stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0."}], "id": "CVE-2026-34566", "lastModified": "2026-04-06T16:42:22.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-01T22:16:20.263", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-458r-h248-29c5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.31.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ci4ms", "source": "cna", "vendor": "ci4-cms-erp"}, "product": "ci4ms", "vendor": "ci4-cms-erp"}], "analysis": {"en": {"generated_at": "2026-04-06T19:47:49.636383+00:00", "value": {"mitigation_remediation": ["Upgrade CI4MS to version\u202f0.31.0.0 or later", "If an upgrade is not immediately feasible, restrict the use of the Page Management feature to a limited set of trusted administrators and monitor for unauthorized input", "If possible, implement server\u2011side output encoding for all page content or remove scripting content from inputs", "Apply a site\u2011wide Content Security Policy that disallows inline scripts"], "summary": {"action": "Immediate Patch", "impact": "Stored DOM XSS capable of full account takeover and privilege escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all CI4MS installations running versions older than\u202f0.31.0.0 from the vendor\u202fci4\u2011cms\u2011erp. The official fix has been applied in release\u202f0.31.0.0, which removes the unsanitized input store and applies proper output encoding. No other versions are documented, so any earlier release is considered vulnerable.", "description_and_impact": "CI4MS is a CodeIgniter\u202f4 based CMS skeleton that uses page management functionality. Prior to release\u202f0.31.0.0 the application fails to properly sanitize user input in multiple fields that are stored server\u2011side. These values are later rendered without output encoding, allowing an attacker to embed and persist malicious JavaScript that runs in the context of an administrator or any visitor to a public page. The resulting stored DOM\u2011based XSS can lead to full account takeover, privilege escalation, or theft of session cookies, as classified by CWE\u201179.", "risk_and_exploitability": "The CVSS score of\u202f9.1 indicates a high severity attack that could compromise confidentiality, integrity, and availability of the CMS account. The EPSS score of under\u202f1\u202f% suggests low current exploit probability, and the issue is not listed in CISA KEV, implying no known public exploits. The likely attack vector is remote web\u2011based input through the page editing interface, where an attacker with permissions to create or edit pages can inject payloads. Successful exploitation would give access to administrative functionality and allow further privilege escalation."}}}}, "created": "2026-04-02T07:47:17.489389+00:00", "updated": "2026-04-07T07:56:33.372592+00:00", "vendors": ["ci4-cms-erp", "ci4-cms-erp$PRODUCT$ci4ms"]}