EUVD-2026-19374
GHSA-5ghq-42rg-769x
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0 , the application fails to properly sanitize user-controlled input within System Settings - Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. These values are persisted in the database and rendered unsafely on public-facing pages only, such as the main landing page. There is no execution in the administrative dashboard-the vulnerability only impacts the public frontend. This vulnerability is fixed in 0.31.2.0.
Analysis
Stored cross-site scripting (XSS) in CI4MS administrative settings allows authenticated administrators to inject malicious scripts that execute on public-facing pages. The vulnerability affects CI4MS versions prior to 0.31.2.0, where unsanitized input in System Settings - Company Information fields is stored in the database and rendered without proper output encoding on the public frontend. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all CI4MS installations and document current versions; notify administrators of access controls review. Within 7 days: upgrade to CI4MS 0.31.2.0 or later; conduct security awareness training on input validation risks. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today