What is the CVSS score of CVE-2026-34568?

CVE-2026-34568 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Ci4ms are affected by CVE-2026-34568?

CI4MS blog module contains a stored cross-site scripting vulnerability affecting all versions prior to 0.31.0.0 that allows authenticated users with low-privilege accounts to inject persistent…. A patch is available.

How to fix or mitigate CVE-2026-34568?

Within 24 hours: identify all CI4MS instances and determine current version numbers; restrict blog post creation/editing permissions to trusted administrators only pending patching. Within 7 days: upgrade all CI4MS deployments to version 0.31.0.0 or later where vendor patch is available; test functionality in staging environment before production deployment. Within 30 days: conduct audit of blog post history for malicious content; review access logs for unauthorized blog module activity; implement content security policy (CSP) headers to mitigate XSS impact.

Ci4ms CVE-2026-34568

EUVD-2026-18082 CRITICAL

Cross-site Scripting (XSS) (CWE-79)

2026-04-01 GitHub_M

GHSA-x7wh-g25g-53vg

XSS Ci4ms

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch released

Apr 02, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 01, 2026 - 22:16 euvd

EUVD-2026-18082

Analysis Generated

Apr 01, 2026 - 22:16 vuln.today

CVE Published

Apr 01, 2026 - 21:28 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts. An attacker can inject a malicious JavaScript payload into blog post content, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.

AnalysisAI

Stored cross-site scripting in CI4MS blog module allows authenticated attackers to inject malicious JavaScript that executes in victims' browsers across multiple application views. The vulnerability affects all versions prior to 0.31.0.0 and stems from insufficient input sanitization when creating or editing blog posts combined with unsafe output rendering. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as low-privileged user

Delivery

Inject JavaScript payload in blog post

Exploit

Store malicious payload on server

Execution

Render unsafely in application views

Persist

Execute XSS in victim browsers

Impact

Steal session tokens and user data