{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34567", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:56:30.998Z", "datePublished": "2026-04-01T21:28:23.544Z", "dateUpdated": "2026-04-02T16:23:41.808Z"}, "containers": {"cna": {"title": "CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r33w-c82v-x5v7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r33w-c82v-x5v7"}, {"name": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"}], "affected": [{"vendor": "ci4-cms-erp", "product": "ci4ms", "versions": [{"version": "< 0.31.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T21:28:23.544Z"}, "descriptions": [{"lang": "en", "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts within the Categories section. An attacker can inject a malicious JavaScript payload into the Categories content, which is then stored server-side. This stored payload is later rendered unsafely when the Categories are viewed via blog posts, without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0."}], "source": {"advisory": "GHSA-r33w-c82v-x5v7", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r33w-c82v-x5v7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:11:50.611582Z", "id": "CVE-2026-34567", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:23:41.808Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*", "matchCriteriaId": "805F6B8A-9324-4CA4-BADE-439CC15DA14C", "versionEndExcluding": "0.31.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts within the Categories section. An attacker can inject a malicious JavaScript payload into the Categories content, which is then stored server-side. This stored payload is later rendered unsafely when the Categories are viewed via blog posts, without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0."}], "id": "CVE-2026-34567", "lastModified": "2026-04-06T16:41:42.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-01T22:16:20.420", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r33w-c82v-x5v7"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r33w-c82v-x5v7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.31.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ci4ms", "source": "cna", "vendor": "ci4-cms-erp"}, "product": "ci4ms", "vendor": "ci4-cms-erp"}], "analysis": {"en": {"generated_at": "2026-04-06T19:47:18.905758+00:00", "value": {"mitigation_remediation": ["Apply the official patch to CI4MS version 0.31.0.0 or later.", "Verify that category content is being properly sanitized after the update.", "If the patch cannot be applied immediately, disable the categories feature or block rendering of user\u2011supplied scripts in that section.", "Monitor the database for unexpected script content in category fields and audit user access to the category editing interface."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting allowing Full Account Takeover"}, "threat_synthesis": {"affected_systems": "The affected system is the CI4MS application. All releases prior to version\u202f0.31.0.0 are vulnerable. Version\u202f0.31.0.0 introduces the necessary input sanitization and resolves the issue.", "description_and_impact": "The flaw originates from an oversight in sanitizing user input when creating or editing blog post categories in CI4MS, a CodeIgniter\u202f4\u2011based CMS skeleton. A malicious script can be embedded into category content, stored by the server, and later rendered without proper output encoding when categories are viewed. This stored XSS can steal authentication cookies, hijack sessions, and elevate privileges, permitting an attacker to take full control of any user account regardless of role assignment.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.1, indicating critically high severity. EPSS is below 1\u202f%, suggesting that active exploitation is currently low in frequency. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have write access to the categories section, which typically means having any authenticated account. Once injected, the stored payload is executed in the browser of any visitor viewing the affected categories, providing a path to full account takeover."}}}}, "created": "2026-04-02T07:47:16.531588+00:00", "updated": "2026-04-07T07:56:32.402566+00:00", "vendors": ["ci4-cms-erp", "ci4-cms-erp$PRODUCT$ci4ms"]}