CVE-2026-34559 (GCVE-0-2026-34559)

Vulnerability from cvelistv5 – Published: 2026-04-01 21:20 – Updated: 2026-04-02 16:23

Title

CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog tags. An attacker can inject a malicious JavaScript payload into the tag name field, which is then stored server-side. This stored payload is later rendered unsafely across public tag pages and administrative interfaces without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/ci4-cms-erp/ci4ms/security/adv…	x_refsource_CONFIRM
	https://github.com/ci4-cms-erp/ci4ms/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ci4-cms-erp	ci4ms	Affected: < 0.31.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34559",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-02T15:12:43.806600Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T16:23:56.044Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ci4ms",
          "vendor": "ci4-cms-erp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.31.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog tags. An attacker can inject a malicious JavaScript payload into the tag name field, which is then stored server-side. This stored payload is later rendered unsafely across public tag pages and administrative interfaces without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T21:20:51.450Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245"
        },
        {
          "name": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"
        }
      ],
      "source": {
        "advisory": "GHSA-4333-387x-w245",
        "discovery": "UNKNOWN"
      },
      "title": "CI4MS: Blogs Tags Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34559",
    "datePublished": "2026-04-01T21:20:51.450Z",
    "dateReserved": "2026-03-30T16:31:39.265Z",
    "dateUpdated": "2026-04-02T16:23:56.044Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-34559\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-01T22:16:18.780\",\"lastModified\":\"2026-04-03T16:10:52.680\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog tags. An attacker can inject a malicious JavaScript payload into the tag name field, which is then stored server-side. This stored payload is later rendered unsafely across public tag pages and administrative interfaces without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.1,\"impactScore\":5.3}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}"
  }
}

FKIE_CVE-2026-34559

Vulnerability from fkie_nvd - Published: 2026-04-01 22:16 - Updated: 2026-04-03 16:10

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
	security-advisories@github.com	https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog tags. An attacker can inject a malicious JavaScript payload into the tag name field, which is then stored server-side. This stored payload is later rendered unsafely across public tag pages and administrative interfaces without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0."
    }
  ],
  "id": "CVE-2026-34559",
  "lastModified": "2026-04-03T16:10:52.680",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 5.3,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-01T22:16:18.780",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-4333-387X-W245

Vulnerability from github – Published: 2026-04-01 21:53 – Updated: 2026-04-06 17:13

Summary

CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Details

Summary

Vulnerability: Stored DOM XSS via Blog Tag Name (Persistent Payload Injection)

Stored Cross-Site Scripting via Unsanitized Blog Tag Name in Blog Management

Description

The application fails to properly sanitize user-controlled input when creating or editing blog tags. An attacker can inject a malicious JavaScript payload into the tag name field, which is then stored server-side.

This stored payload is later rendered unsafely across public tag pages and administrative interfaces without proper output encoding, leading to stored cross-site scripting (XSS).

Affected Functionality

Blog tag creation functionality
Blog tag editing functionality
Blog tag storage and retrieval logic

Attack Scenario

An attacker creates or edits a blog tag name to include a malicious XSS payload.
The application stores this value without sanitization or encoding.
The payload persists and executes whenever the tag name is rendered in affected views.

Impact

Persistent Stored XSS
Execution of arbitrary JavaScript in victims’ browsers
Privilege escalation when viewed by administrators or privileged users
Full administrator account takeover
Full account takeover across all roles
Full compromise of the entire application

Endpoints: - /backend/blogs/tags/ - /blog/{id}

Steps To Reproduce (POC)

Go to the Blog Tags management page
Create or edit a tag and insert an XSS payload into the tag name such as: <img src=x onerror=alert(document.domain)>
Save the tag
View a public blog page or the administrative interface where the tag is rendered
Notice the XSS payload executing automatically

Remediation

Avoid unsafe DOM manipulation methods: Do not use .html(), innerHTML, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.
Apply output encoding: Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.
Implement input sanitization: Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.
Enforce security headers and cookie attributes:
Content Security Policy (CSP): Define and enforce a strict CSP to limit the execution of unauthorized scripts.
HttpOnly flag: Set the HttpOnly attribute on session cookies to prevent client-side script access.
SameSite attribute: Configure the SameSite cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.
Secure flag: Ensure all cookies are transmitted only over HTTPS by enabling the Secure attribute.

These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.

Ready Video POC:

https://mega.nz/file/GI9Bnbha#FkVY4K7AiuttnBGDFaCtxuJwKk-afRcKjYJnkqfLZOM

Severity ?

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.28.6.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "ci4-cms-erp/ci4ms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.31.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34559"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:53:01Z",
    "nvd_published_at": "2026-04-01T22:16:18Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n### **Vulnerability: Stored DOM XSS via Blog Tag Name (Persistent Payload Injection)**\n- Stored Cross-Site Scripting via Unsanitized Blog Tag Name in Blog Management\n\n### Description\nThe application fails to properly sanitize user-controlled input when creating or editing blog tags. An attacker can inject a malicious JavaScript payload into the tag name field, which is then stored server-side.\n\nThis stored payload is later rendered unsafely across public tag pages and administrative interfaces without proper output encoding, leading to stored cross-site scripting (XSS).\n\n### Affected Functionality\n- Blog tag creation functionality\n- Blog tag editing functionality\n- Blog tag storage and retrieval logic\n\n### Attack Scenario\n- An attacker creates or edits a blog tag name to include a malicious XSS payload.\n- The application stores this value without sanitization or encoding.\n- The payload persists and executes whenever the tag name is rendered in affected views.\n\n### Impact\n- Persistent Stored XSS\n- Execution of arbitrary JavaScript in victims\u2019 browsers\n- Privilege escalation when viewed by administrators or privileged users\n- Full administrator account takeover\n- Full account takeover across all roles\n- Full compromise of the entire application\n\nEndpoints:\n- `/backend/blogs/tags/`\n- `/blog/{id}`\n\n## Steps To Reproduce (POC)\n1. Go to the Blog Tags management page\n2. Create or edit a tag and insert an XSS payload into the tag name such as:\n`\u003cimg src=x onerror=alert(document.domain)\u003e`\n3. Save the tag\n4. View a public blog page or the administrative interface where the tag is rendered\n5. Notice the XSS payload executing automatically\n\n## Remediation\n\n- **Avoid unsafe DOM manipulation methods:** Do not use `.html()`, `innerHTML`, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an attacker may exploit.\n\n- **Apply output encoding:** Implement HTML entity encoding on all user-controlled data before rendering it in the browser. This helps neutralize potentially malicious input.\n\n- **Implement input sanitization:** Ensure that all user-supplied input is properly sanitized before processing or output. Currently, no sanitization mechanisms are in place, which should be addressed as a priority.\n\n- **Enforce security headers and cookie attributes:**\n  - **Content Security Policy (CSP):** Define and enforce a strict CSP to limit the execution of unauthorized scripts.\n  - **HttpOnly flag:** Set the `HttpOnly` attribute on session cookies to prevent client-side script access.\n  - **SameSite attribute:** Configure the `SameSite` cookie attribute to mitigate Cross-Site Request Forgery (CSRF) risks.\n  - **Secure flag:** Ensure all cookies are transmitted only over HTTPS by enabling the `Secure` attribute.\n\n  These measures collectively reduce the impact of XSS and help prevent escalation paths such as CSRF via XSS.\n# Ready Video POC:\nhttps://mega.nz/file/GI9Bnbha#FkVY4K7AiuttnBGDFaCtxuJwKk-afRcKjYJnkqfLZOM",
  "id": "GHSA-4333-387x-w245",
  "modified": "2026-04-06T17:13:49Z",
  "published": "2026-04-01T21:53:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34559"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ci4-cms-erp/ci4ms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CI4MS: Blogs Tags Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-34559 (GCVE-0-2026-34559)

FKIE_CVE-2026-34559

GHSA-4333-387X-W245

Summary

Vulnerability: Stored DOM XSS via Blog Tag Name (Persistent Payload Injection)

Description

Affected Functionality

Attack Scenario

Impact

Steps To Reproduce (POC)

Remediation

Ready Video POC:

Tags

Sightings

Nomenclature