What is the CVSS score of EUVD-2026-18078?

EUVD-2026-18078 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Ci4ms are affected by EUVD-2026-18078?

CI4MS versions prior to 0.31.0.0 contain a stored cross-site scripting vulnerability in menu management that allows low-privilege authenticated users to inject malicious scripts executing in…. A patch is available.

How to fix or mitigate EUVD-2026-18078?

Within 24 hours: Identify all CI4MS instances in production and document current version numbers; restrict menu management access to administrators only pending patch deployment. Within 7 days: Deploy vendor-released patch to CI4MS version 0.31.0.0 or later across all affected instances; validate patch application in staging before production rollout. Within 30 days: Conduct comprehensive audit of menu management logs and stored content for evidence of malicious script injection; review and strengthen input validation/sanitization controls across all user-input fields; implement Content Security Policy (CSP) headers to mitigate XSS impact.

Ci4ms EUVD-2026-18078

| CVE-2026-34565 CRITICAL

Cross-site Scripting (XSS) (CWE-79)

2026-04-01 GitHub_M

GHSA-xgh5-w62m-8mpr

XSS Ci4ms

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch released

Apr 02, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 01, 2026 - 22:16 euvd

EUVD-2026-18078

Analysis Generated

Apr 01, 2026 - 22:16 vuln.today

CVE Published

Apr 01, 2026 - 21:26 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Posts to navigation menus through the Menu Management functionality. Post-related data selected via the Posts section is stored server-side and rendered without proper output encoding. These stored values are later rendered unsafely within administrative dashboards and public-facing navigation menus, resulting in stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.

AnalysisAI

Stored cross-site scripting (XSS) in CI4MS menu management allows authenticated users with low privileges to inject malicious scripts that execute in administrator and public user contexts. Affecting CI4MS versions prior to 0.31.0.0, attackers can exploit insufficient input sanitization when adding Posts to navigation menus, achieving cross-scope code execution (CVSS scope changed) with potential for session hijacking and administrative account compromise. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as low-privilege user

Delivery

Add malicious Post to navigation menu

Exploit

Inject unencoded JavaScript payload

Execution

Stored XSS executes in admin dashboard

Impact

Admin session hijacked via cookie theft