CVE-2026-34566

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0

Description CI4MS, a CodeIgniter 4-based CMS, is susceptible to stored DOM-based cross-site scripting (XSS) through the Page Management functionality. The application does not properly sanitize user-controlled input in multiple fields during page creation or editing. These unsanitized values are stored server-side and rendered without output encoding in administrative page lists and public-facing page views, enabling the execution of malicious JavaScript payloads. Affected fields include Title, URL, Content, Cover Image, Image URL, Image Width, Image Height, SEO Description, and SEO Keywords. An attacker can inject a payload into these fields, which will then execute in the browsers of administrators, authenticated users, and visitors. The affected API endpoints are /backend/pages/create, the page list management view, and public-facing page views.

Recommendations Versions prior to 0.31.0.0 should be updated to version 0.31.0.0 or later. Avoid using unsafe DOM manipulation methods like .html() or innerHTML. Implement HTML entity encoding on all user-controlled data before rendering it in the browser. Implement input sanitization to properly sanitize all user-supplied input. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the HttpOnly flag, the SameSite attribute, and the Secure flag.