216.73.217.80

CVE-2026-34989

· Published 06/04/2026 17:17 · Modified 07/04/2026 17:16

Labels: CVE-2026-34989 2026-04-06CVE-2026-34989CWE-79[email protected]

Essential information

Published
06/04/2026 17:17
Modified
07/04/2026 17:16
Author
Creator
CVSS
9.4 CRITICAL (v3) 9.4 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This vulnerability is fixed in 31.0.0.0.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
codeigniter / codeigniter cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*
ci4ms / ci4ms cpe:2.3:a:ci4ms:ci4ms:*:*:*:*:*:*:*:*

References