CVE-2026-34561

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0

Description CI4MS, a CodeIgniter 4-based CMS, is susceptible to a stored Cross-site Scripting (XSS) issue within the System Settings – Social Media Management section. The application does not properly sanitize user-controlled input in the 'Social Media' and 'Social Media Link' configuration fields, leading to the storage and subsequent rendering of malicious payloads without appropriate output encoding. This results in same-page DOM-based XSS, where the injected payload breaks out of the input attribute context and executes immediately in the browser of an authenticated user managing settings. The affected functionality includes the System Settings – Social Media Management configuration, same-page rendering of user-controlled input fields, DOM attribute injection within form inputs, and the storage and retrieval of social media configuration values. An attacker can inject a malicious JavaScript payload into these fields, which is then stored and re-rendered without sanitization, leading to arbitrary JavaScript execution, potential administrative privilege escalation, and full account or platform compromise. The vulnerable API endpoint is /backend/settings/. The vulnerable parameters are Social Media and Social Media Link.

Recommendations Versions prior to 0.31.0.0 should be updated to version 0.31.0.0 or later. Avoid unsafe DOM manipulation methods such as .html() and innerHTML. Implement HTML entity encoding on all user-controlled data before rendering it in the browser. Implement input sanitization to ensure all user-supplied input is properly sanitized before processing or output. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the HttpOnly flag on session cookies, the SameSite attribute on cookies, and the Secure flag for HTTPS transmission.