CVE-2026-34989 (GCVE-0-2026-34989)

Vulnerability from cvelistv5 – Published: 2026-04-06 16:25 – Updated: 2026-04-07 16:00

Title

CI4MS affected by Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This vulnerability is fixed in 31.0.0.0.

Severity ?

9.4 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

https://github.com/ci4-cms-erp/ci4ms/security/adv…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	ci4-cms-erp	ci4ms	Affected: < 31.0.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34989",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T15:57:55.900197Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T16:00:10.965Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ci4ms",
          "vendor": "ci4-cms-erp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 31.0.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This vulnerability is fixed in 31.0.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-06T16:25:54.285Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr"
        }
      ],
      "source": {
        "advisory": "GHSA-vr2g-rhm5-q4jr",
        "discovery": "UNKNOWN"
      },
      "title": "CI4MS affected by Profile \u0026 User Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34989",
    "datePublished": "2026-04-06T16:25:54.285Z",
    "dateReserved": "2026-03-31T19:38:31.617Z",
    "dateUpdated": "2026-04-07T16:00:10.965Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-34989\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-06T17:17:12.037\",\"lastModified\":\"2026-04-07T17:16:29.093\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This vulnerability is fixed in 31.0.0.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"CI4MS affected by Profile \u0026 User Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS\", \"source\": {\"advisory\": \"GHSA-vr2g-rhm5-q4jr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"ci4-cms-erp\", \"product\": \"ci4ms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 31.0.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr\", \"name\": \"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This vulnerability is fixed in 31.0.0.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-06T16:25:54.285Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34989\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-07T15:57:55.900197Z\"}}}], \"references\": [{\"url\": \"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-04-07T15:58:04.636Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-34989\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-06T16:25:54.285Z\", \"dateReserved\": \"2026-03-31T19:38:31.617Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-06T16:25:54.285Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-34989

Vulnerability from fkie_nvd - Published: 2026-04-06 17:17 - Updated: 2026-04-07 17:16

Severity ?

9.4 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This vulnerability is fixed in 31.0.0.0."
    }
  ],
  "id": "CVE-2026-34989",
  "lastModified": "2026-04-07T17:16:29.093",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.4,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-06T17:17:12.037",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-VR2G-RHM5-Q4JR

Vulnerability from github – Published: 2026-04-03 04:00 – Updated: 2026-04-06 23:40

Summary

CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Details

Summary

Vulnerability 1: Stored DOM XSS via Profile Name Update (Persistent Payload Injection)

Stored Cross-Site Scripting via Unsanitized User Name in Profile Management

Description

The application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side.

This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS).

Affected Functionality

Profile name / full name update functionality (both the 2 user inputs)
User profile storage and retrieval logic

Attack Scenario

An attacker updates their profile name to include a malicious XSS payload.
The application stores this value without sanitization or encoding.
The payload persists and executes whenever the name is rendered in affected views.

Impact

Persistent Stored XSS
Execution of arbitrary JavaScript in victims’ browsers
Foundation for privilege escalation and account takeover when viewed by privileged users & normal ones across blogs and public facing pages that show user profiles full names

Endpoint: /backend/users/profile/

Vulnerability 2: Stored XSS via User Name Rendering Across Multiple Endpoints (Privilege Escalation)

(Required for the chain) - Stored XSS via Unsafe Rendering of User Names Across Administrative and Public Interfaces

Description

User-controlled profile fields (specifically the username / full name) are rendered unsafely across multiple application endpoints, including administrative and content-related interfaces. The application fails to apply proper output encoding when displaying these values.

When an administrator accesses affected pages, the stored XSS payload executes in the administrator’s browser context, resulting in administrative privilege escalation and potential full admin account takeover.

This issue is not limited to a single endpoint and affects all areas where the username is rendered, including but not limited to: - User management interfaces - Blog pages - Other content or UI components displaying usernames

Attack Scenario

Attacker injects a malicious payload via the profile name update functionality.
The payload is stored persistently.
An administrator views the user management page or any affected interface.
The payload executes automatically in the admin’s browser.
Attacker hijacks the admin session, performs privileged actions, or fully compromises the admin account.

Impact

Stored XSS
Administrative privilege escalation
Full admin account takeover (including other roles)
Full compromise of the entire application

Endpoint Example: /backend/users/ of User Management Page

Steps To Reproduce (POC)

Go to Profile Management page of the User
In the 2 user inputs of the Full Name, put in any field of them a XSS Payload such as: <img src=x onerror=alert(document.domain)>
Save the edit
Go to User Management page as an Admin or any other role
Notice the XSS alert popping up that confirms it
Other endpoints aswell can execute such as blogs in the public facing one

Recommended Remediation

Eliminate Unsafe DOM Sinks: Remove all usage of .html(), innerHTML, and similar unsafe DOM manipulation methods throughout the application. These sinks should be replaced with safe alternatives such as .text() or textContent, which do not interpret HTML markup.
Implement Output Encoding: Apply context-appropriate HTML entity encoding to all user-controlled data before rendering it in the DOM. This ensures that any special characters (e.g., <, >, ", ') are rendered as literal text rather than interpreted as executable markup.
Implement Server-Side Input Sanitization: Enforce strict input validation and sanitization on all user-controlled fields — particularly the profile name fields — at the server level before storing values in the database. Currently, no sanitization is applied to these inputs.
Apply Defense in Depth: Even in cases where user input does not appear to flow directly into a dangerous sink, it should still be treated as untrusted. Attackers can and will leverage indirect data flows to exploit the application. A layered approach combining input validation, output encoding, and Content Security Policy (CSP) headers is strongly recommended.

Ready Video POC:

https://mega.nz/file/iEVEyT4Y#f046o6ZwYBfS1kK0HNKOCFm6tL_8_SbLtWWKC1hYC4M

Severity ?

9.4 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.28.6.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "ci4-cms-erp/ci4ms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "31.0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T04:00:57Z",
    "nvd_published_at": "2026-04-06T17:17:12Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n### **Vulnerability 1: Stored DOM XSS via Profile Name Update (Persistent Payload Injection)**\n- Stored Cross-Site Scripting via Unsanitized User Name in Profile Management\n\n### Description\nThe application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side.\n\nThis stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS).\n\n### Affected Functionality\n- Profile name / full name update functionality (both the 2 user inputs)\n- User profile storage and retrieval logic\n\n### Attack Scenario\n- An attacker updates their profile name to include a malicious XSS payload.\n- The application stores this value without sanitization or encoding.\n- The payload persists and executes whenever the name is rendered in affected views.\n\n### Impact\n- Persistent Stored XSS\n- Execution of arbitrary JavaScript in victims\u2019 browsers\n- Foundation for privilege escalation and account takeover when viewed by privileged users \u0026 normal ones across blogs and public facing pages that show user profiles full names\n\nEndpoint: `/backend/users/profile/`\n\n### **Vulnerability 2: Stored XSS via User Name Rendering Across Multiple Endpoints (Privilege Escalation)**\n(Required for the chain)\n- Stored XSS via Unsafe Rendering of User Names Across Administrative and Public Interfaces\n\n### Description\nUser-controlled profile fields (specifically the username / full name) are rendered unsafely across multiple application endpoints, including administrative and content-related interfaces. The application fails to apply proper output encoding when displaying these values.\n\nWhen an administrator accesses affected pages, the stored XSS payload executes in the administrator\u2019s browser context, resulting in administrative privilege escalation and potential full admin account takeover.\n\nThis issue is not limited to a single endpoint and affects all areas where the username is rendered, including but not limited to:\n- User management interfaces\n- Blog pages\n- Other content or UI components displaying usernames\n\n### Attack Scenario\n- Attacker injects a malicious payload via the profile name update functionality.\n- The payload is stored persistently.\n- An administrator views the user management page or any affected interface.\n- The payload executes automatically in the admin\u2019s browser.\n- Attacker hijacks the admin session, performs privileged actions, or fully compromises the admin account.\n\n### Impact\n- Stored XSS\n- Administrative privilege escalation\n- Full admin account takeover (including other roles)\n- Full compromise of the entire application\n\nEndpoint Example: `/backend/users/` of User Management Page\n\n## Steps To Reproduce (POC)\n1. Go to Profile Management page of the User\n2. In the 2 user inputs of the Full Name, put in any field of them a XSS Payload such as:\n`\u003cimg src=x onerror=alert(document.domain)\u003e`\n3. Save the edit\n4. Go to User Management page as an Admin or any other role\n5. Notice the XSS alert popping up that confirms it\n6. Other endpoints aswell can execute such as blogs in the public facing one \n\n### Recommended Remediation\n\n1. **Eliminate Unsafe DOM Sinks:** Remove all usage of `.html()`, `innerHTML`, and similar unsafe DOM manipulation methods throughout the application. These sinks should be replaced with safe alternatives such as `.text()` or `textContent`, which do not interpret HTML markup.\n\n2. **Implement Output Encoding:** Apply context-appropriate HTML entity encoding to all user-controlled data before rendering it in the DOM. This ensures that any special characters (e.g., `\u003c`, `\u003e`, `\"`, `\u0027`) are rendered as literal text rather than interpreted as executable markup.\n\n3. **Implement Server-Side Input Sanitization:** Enforce strict input validation and sanitization on all user-controlled fields \u2014 particularly the profile name fields \u2014 at the server level before storing values in the database. Currently, no sanitization is applied to these inputs.\n\n4. **Apply Defense in Depth:** Even in cases where user input does not appear to flow directly into a dangerous sink, it should still be treated as untrusted. Attackers can and will leverage indirect data flows to exploit the application. A layered approach combining input validation, output encoding, and Content Security Policy (CSP) headers is strongly recommended.\n# Ready Video POC:\nhttps://mega.nz/file/iEVEyT4Y#f046o6ZwYBfS1kK0HNKOCFm6tL_8_SbLtWWKC1hYC4M",
  "id": "GHSA-vr2g-rhm5-q4jr",
  "modified": "2026-04-06T23:40:24Z",
  "published": "2026-04-03T04:00:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34989"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ci4-cms-erp/ci4ms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CI4MS: Profile \u0026 User Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM XSS"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-34989 (GCVE-0-2026-34989)

FKIE_CVE-2026-34989

GHSA-VR2G-RHM5-Q4JR

Summary

Vulnerability 1: Stored DOM XSS via Profile Name Update (Persistent Payload Injection)

Description

Affected Functionality

Attack Scenario

Impact

Vulnerability 2: Stored XSS via User Name Rendering Across Multiple Endpoints (Privilege Escalation)

Description

Attack Scenario

Impact

Steps To Reproduce (POC)

Recommended Remediation

Ready Video POC:

Tags

Sightings

Nomenclature