What is the CVSS score of CVE-2026-34557?

CVE-2026-34557 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Ci4ms are affected by CVE-2026-34557?

CI4MS versions before 0.31.0.0 contain a stored cross-site scripting vulnerability in role and group management that allows authenticated administrators to inject persistent malicious code affecting…. A patch is available.

How to fix or mitigate CVE-2026-34557?

Within 24 hours: Inventory all CI4MS deployments and current version numbers; restrict administrative access to trusted personnel only. Within 7 days: Upgrade all CI4MS instances to version 0.31.0.0 or later per vendor advisory. Within 30 days: Audit administrative role and group management audit logs for malicious script injections; rotate credentials for all administrative accounts that accessed the system during exposure period; conduct penetration testing of administrative functions post-patch.

Ci4ms CVE-2026-34557

EUVD-2026-17213 CRITICAL

Cross-site Scripting (XSS) (CWE-79)

2026-03-30 GitHub_M

GHSA-rpjr-985c-qhvm

XSS Ci4ms

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch released

Apr 01, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Mar 30, 2026 - 21:00 euvd

EUVD-2026-17213

Analysis Generated

Mar 30, 2026 - 21:00 vuln.today

CVE Published

Mar 30, 2026 - 20:24 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within group and role management functionality. Multiple input fields (three distinct group-related fields) can be injected with malicious JavaScript payloads, which are then stored server-side. These stored payloads are later rendered unsafely within privileged administrative views without proper output encoding, leading to stored cross-site scripting (XSS) within the role and permission management context. This issue has been patched in version 0.31.0.0.

AnalysisAI

Stored cross-site scripting in CI4MS role/group management allows authenticated attackers to inject malicious JavaScript into three distinct administrative fields, achieving persistent code execution in privileged admin contexts with scope change impact. The vulnerability affects all versions prior to 0.31.0.0 and requires low-privilege authenticated access with no user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as authorized user

Delivery

Inject JavaScript into group management fields

Exploit

Store malicious payload in database

Execution

Administrator views group settings

Impact

Execute stored XSS in admin context