Vulnerability Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ci4-Cms-Erp | Ci4Ms | < 0.31.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0Release Notes
- https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4ExploitVendor Advisory
- https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4ExploitVendor Advisory
FAQ
What is CVE-2026-34560?
CVE-2026-34560 is a vulnerability with a CVSS score of 9.1 (CRITICAL). CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-co...
How severe is CVE-2026-34560?
CVE-2026-34560 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-34560?
Check the references section above for vendor advisories and patch information. Affected products include: Ci4-Cms-Erp Ci4Ms.