CVE-2026-34563 CRITICAL

CVE-2026-34563: CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS

Vendor Ci4-Cms-Erp
Product ci4ms
Weakness CWE-79 · XSS
Published April 1, 2026
Last update April 2, 2026
View on NVD All CVEs

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when handling backup uploads and processing backup metadata. An attacker can inject a malicious JavaScript payload into the backup filename via the uploaded xss.sql, which uses SQL functionality to insert the XSS payload server-side. This stored payload is later rendered unsafely in multiple backup management views without proper output encoding, leading to stored blind cross-site scripting (Blind XSS). This issue has been patched in version 0.31.0.0.

Key dates

02Disclosure timeline

April 1, 2026 CVE published
April 2, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2019-25280 Yahei-PHP Prober 0.4.7 Remote HTML Injection via Speed Parameter CVE-2023-48452 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2025-7816 PHPGurukul Apartment Visitors Management System HTTP POST Request visitor-detail.php cross site scripting CVE-2025-23663 WordPress Contexto plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-3435 MangBoard WP <= 1.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Board Header And Footer