How to fix CVE-2026-34557?

Within 24 hours: Inventory all CI4MS deployments and current version numbers; restrict administrative access to trusted personnel only. Within 7 days: Upgrade all CI4MS instances to version 0.31.0.0 or later per vendor advisory. Within 30 days: Audit administrative role and group management audit logs for malicious script injections; rotate credentials for all administrative accounts that accessed the system during exposure period; conduct penetration testing of administrative functions post-patch.

CVE-2026-34557

EUVD-2026-17213 CRITICAL

2026-03-30 GitHub_M

GHSA-rpjr-985c-qhvm

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch Released

Apr 01, 2026 - 02:30 nvd

Patch available

Analysis Generated

Mar 30, 2026 - 21:00 vuln.today

EUVD ID Assigned

Mar 30, 2026 - 21:00 euvd

EUVD-2026-17213

CVE Published

Mar 30, 2026 - 20:24 nvd

CRITICAL 9.1

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within group and role management functionality. Multiple input fields (three distinct group-related fields) can be injected with malicious JavaScript payloads, which are then stored server-side. These stored payloads are later rendered unsafely within privileged administrative views without proper output encoding, leading to stored cross-site scripting (XSS) within the role and permission management context. This issue has been patched in version 0.31.0.0.

Analysis

Stored cross-site scripting in CI4MS role/group management allows authenticated attackers to inject malicious JavaScript into three distinct administrative fields, achieving persistent code execution in privileged admin contexts with scope change impact. The vulnerability affects all versions prior to 0.31.0.0 and requires low-privilege authenticated access with no user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C). …

Remediation

Within 24 hours: Inventory all CI4MS deployments and current version numbers; restrict administrative access to trusted personnel only. Within 7 days: Upgrade all CI4MS instances to version 0.31.0.0 or later per vendor advisory. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +46

POC: 0

CVE-2026-34557 vulnerability details – vuln.today

Back

CVE-2026-34557

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-34557

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code