What is the CVSS score of CVE-2026-34563?

CVE-2026-34563 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Ci4ms are affected by CVE-2026-34563?

CI4MS backup management contains a stored cross-site scripting vulnerability (CVE-2026-34563) that allows authenticated administrators to inject malicious JavaScript through backup filenames,…. A patch is available.

How to fix or mitigate CVE-2026-34563?

Within 24 hours: Identify all CI4MS instances in production and document current versions; verify administrative access logs for suspicious backup filename patterns. Within 7 days: Apply vendor-released patch to version 0.31.0.0 on all CI4MS deployments; audit existing backups for injected payloads in filenames and remove compromised backups. Within 30 days: Implement input validation controls on backup upload functions; conduct security review of administrative interface for similar XSS vectors; train administrators on backup filename sanitization.

Ci4ms CVE-2026-34563

EUVD-2026-18075 CRITICAL

Cross-site Scripting (XSS) (CWE-79)

2026-04-01 GitHub_M

GHSA-85m8-g393-jcxf

XSS Ci4ms

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch released

Apr 02, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 01, 2026 - 22:16 euvd

EUVD-2026-18075

Analysis Generated

Apr 01, 2026 - 22:16 vuln.today

CVE Published

Apr 01, 2026 - 21:25 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when handling backup uploads and processing backup metadata. An attacker can inject a malicious JavaScript payload into the backup filename via the uploaded xss.sql, which uses SQL functionality to insert the XSS payload server-side. This stored payload is later rendered unsafely in multiple backup management views without proper output encoding, leading to stored blind cross-site scripting (Blind XSS). This issue has been patched in version 0.31.0.0.

AnalysisAI

Stored blind cross-site scripting in CI4MS backup management allows authenticated attackers to inject malicious JavaScript payloads via SQL-backed backup filenames, achieving scope change with high confidentiality impact and low integrity/availability impact. The vulnerability exploits insufficient input sanitization during backup upload processing and unsafe output rendering in administrative views. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as low-privileged user

Delivery

Upload malicious SQL backup file

Exploit

Inject JavaScript payload in filename

Execution

Access backup management view

Impact

Execute arbitrary script in admin context