CVE-2026-34558

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0

Description CI4MS is a CodeIgniter 4-based CMS skeleton providing a modular architecture with RBAC authorization and theme support. The application does not properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). The issue occurs due to insufficient input validation and output encoding, allowing for the injection of malicious scripts. The vulnerable functionality involves the creation and management of application methods/pages.

Recommendations Update CI4MS to version 0.31.0.0 or later.