Skip to main content

Ci4ms CVE-2026-35035

| EUVD-2026-19374 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-06 security-advisories@github.com GHSA-5ghq-42rg-769x
XSS Ci4ms
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 19:07 vuln.today
cvss_changed
Patch released
Apr 06, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 06, 2026 - 17:22 euvd
EUVD-2026-19374
Analysis Generated
Apr 06, 2026 - 17:22 vuln.today
CVE Published
Apr 06, 2026 - 17:17 nvd
HIGH 7.2

DescriptionGitHub Advisory

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0 , the application fails to properly sanitize user-controlled input within System Settings - Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. These values are persisted in the database and rendered unsafely on public-facing pages only, such as the main landing page. There is no execution in the administrative dashboard-the vulnerability only impacts the public frontend. This vulnerability is fixed in 0.31.2.0.

AnalysisAI

Stored cross-site scripting (XSS) in CI4MS administrative settings allows authenticated administrators to inject malicious scripts that execute on public-facing pages. The vulnerability affects CI4MS versions prior to 0.31.2.0, where unsanitized input in System Settings - Company Information fields is stored in the database and rendered without proper output encoding on the public frontend. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as administrator
Delivery
Access System Settings Company Information
Exploit
Inject malicious JavaScript payload
Execution
Store unsanitized input in database
Persist
Render payload on public landing page
Impact
Execute script in visitor browsers
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker requires high-privilege administrative access to CI4MS versions before 0.31.2.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world exploitation risk is moderate despite the High CVSS score of 7.2. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious administrator or attacker with compromised admin credentials logs into the CI4MS administrative dashboard and navigates to System Settings - Company Information. They inject malicious JavaScript payloads into fields such as company name, address, or description that are designed to display on the public homepage. …
Remediation Upgrade immediately to CI4MS version 0.31.2.0, which contains fixes for the stored XSS vulnerability in Company Information settings. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory all CI4MS installations and document current versions; notify administrators of access controls review. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-35035 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy