What is the CVSS score of EUVD-2026-17214?

EUVD-2026-17214 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Ci4ms are affected by EUVD-2026-17214?

CI4MS versions prior to 0.31.0.0 contain a stored cross-site scripting vulnerability in methods management that allows authenticated users to inject malicious code into administrative interfaces,…. A patch is available.

How to fix or mitigate EUVD-2026-17214?

Within 24 hours: Inventory all CI4MS deployments and identify current version numbers across production and non-production environments. Within 7 days: Apply vendor-released patch to upgrade all instances to CI4MS version 0.31.0.0 or later, beginning with production systems and validating functionality post-deployment. Within 30 days: Conduct administrative account audit to identify any unauthorized modifications to methods management or administrative interfaces made during the vulnerability window, and implement access logging for methods management functions.

Ci4ms EUVD-2026-17214

| CVE-2026-34558 CRITICAL

Cross-site Scripting (XSS) (CWE-79)

2026-03-30 GitHub_M

GHSA-v77r-xg3p-75g7

XSS Ci4ms

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch released

Apr 01, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Mar 30, 2026 - 21:00 euvd

EUVD-2026-17214

Analysis Generated

Mar 30, 2026 - 21:00 vuln.today

CVE Published

Mar 30, 2026 - 20:24 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are later rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). This issue has been patched in version 0.31.0.0.

AnalysisAI

Stored Cross-Site Scripting in CI4MS methods management allows authenticated users to inject malicious JavaScript into administrative interfaces and global navigation, affecting all users including administrators. The vulnerability affects CI4MS versions before 0.31.0.0 with a CVSS score of 9.1 due to scope change (C) enabling privilege escalation. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as low-privilege user

Delivery

Inject JavaScript payload in Methods Management form

Exploit

Store malicious script in database

Execution

Admin views contaminated page

Impact

Execute arbitrary code in admin context