CVE-2026-34560

Name of the Vulnerable Software and Affected Versions: CI4MS versions prior to 0.31.0.0

Description: CI4MS is a CodeIgniter 4-based CMS skeleton. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface, leading to a stored DOM Blind XSS scenario. If an XSS payload is present in logged data, it is rendered without proper output encoding. The attacker does not see immediate execution; the payload is stored in application logs and executes when an administrator views the logs page. The vulnerability can be triggered by accessing endpoints like /backend/backup/restore/{payload}, which logs the payload. When an administrator views the logs interface, the payload executes in their browser context. The affected functionality includes the application logging mechanism, logs storage and retrieval logic, and logs rendering within the administrative interface. The impact includes persistent stored Blind XSS, arbitrary JavaScript execution in administrators’ browsers, potential privilege escalation, and full application compromise. API endpoints include /backend/logs/ and /backend/backup/restore/{payload}.

Recommendations: Update to version 0.31.0.0 or later. Avoid unsafe DOM manipulation methods like .html() and innerHTML. Apply HTML entity encoding to all user-controlled data before rendering it in the browser. Implement input sanitization to prevent malicious input. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the HttpOnly flag, the SameSite attribute, and the Secure flag.