CRITICAL🇵🇱 Wersja polska

CVE-2026-34560

CVSS 9.1v3.1pub. 2026-04-01upd. 2026-04-13

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
  • Ci4 Cms Erp Ci4ms

    APP
    Ci4-Cms-Erp
    < 0.31.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2026-34989CRITICAL9.4PL ✓ten sam produkt

Stored XSS w CI4MS — złośliwy skrypt w nazwie profilu użytkownika

CVE-2026-34559CRITICAL9.1PL ✓ten sam produkt

Stored XSS w CI4MS — wstrzykiwanie skryptów przez pole tagów bloga

CVE-2026-34563CRITICAL9.1PL ✓ten sam produkt

Stored Blind XSS w CI4MS poprzez złośliwą nazwę pliku backup

CVE-2026-34564CRITICAL9.1PL ✓ten sam produkt

Stored DOM-based XSS w CI4MS – Menu Management bez sanityzacji danych

CVE-2026-34565CRITICAL9.1PL ✓ten sam produkt

Stored DOM-based XSS w CI4MS — zarządzanie menu nawigacyjnym