CVE-2026-34557

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0

Description CI4MS is a CodeIgniter 4-based CMS skeleton offering a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application does not properly sanitize user-controlled input within group and role management functionality. Multiple input fields related to groups can be injected with malicious JavaScript payloads, which are then stored on the server. These stored payloads are rendered unsafely within privileged administrative views without proper output encoding, leading to stored cross-site scripting (XSS) within the role and permission management context. The issue allows for privilege escalation to administrative levels. The affected input fields are related to group management.

Recommendations Versions prior to 0.31.0.0 should be updated to version 0.31.0.0 or later.