EUVD-2026-18080
GHSA-458r-h248-29c5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Lifecycle Timeline
4Tags
Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Page Management functionality when creating or editing pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side. These stored values are later rendered without proper output encoding across administrative page lists and public-facing page views, leading to stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
Analysis
Stored cross-site scripting (XSS) in CI4MS page management functionality allows authenticated attackers to inject malicious JavaScript that executes in both administrative contexts and public-facing pages. Affecting CI4MS versions prior to 0.31.0.0, this vulnerability requires low-privilege authentication (PR:L) but enables scope change (S:C) with network-based remote exploitation (AV:N) and low attack complexity (AC:L). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all CI4MS instances and document current versions (check /app/Config/Constants.php or version endpoint). Within 7 days: Upgrade all instances to CI4MS version 0.31.0.0 or later per vendor advisory; test thoroughly in staging before production deployment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today