CVE-2026-35035

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.2.0

Description CI4MS, a CodeIgniter 4-based CMS skeleton, is susceptible to a stored Cross-Site Scripting (XSS) issue. The application does not properly sanitize user-controlled input within the System Settings – Company Information section. Several administrative configuration fields, including Company Name, Slogan, Company Phone, Company Mobile, Company Email, Google Maps iframe link, and Company Logo, accept attacker-controlled input that is stored server-side and rendered unsafely on public-facing pages. The vulnerability impacts the public frontend and does not affect the administrative dashboard. The affected functionality includes System Settings – Company Information configuration and public-facing page rendering. An attacker can inject a malicious JavaScript payload into these fields, which is then stored and executed on public-facing pages, potentially leading to account takeover and platform-wide compromise. API endpoints include /backend/settings/ (for injection) and the main landing page (for execution).

Recommendations Update to version 0.31.2.0 or later to resolve the issue.