CVE-2026-34571

Name of the Vulnerable Software and Affected Versions: CI4MS versions prior to 0.31.0.0

Description: CI4MS, a CodeIgniter 4-based CMS skeleton, contains a Stored Cross-Site Scripting (Stored XSS) issue in the backend user management functionality. The application does not properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript code. This code executes automatically when backend users access the affected page, potentially enabling session hijacking, privilege escalation, and full administrative account compromise. The vulnerability resides in the backend user creation feature accessible via the /backend/users API endpoint. User-supplied input in the name and surname fields is stored without validation or sanitization and is then injected into the HTML without output encoding. This allows attackers to embed malicious JavaScript payloads that execute in the context of authenticated backend users.

Recommendations: Update CI4MS to version 0.31.0.0 or later.