CVE-2026-34558CRITICAL 9.0EPSS p22.2%
CVE-2026-34558CVE-2026-34558
Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are later rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). This issue has been patched in version 0.31.0.0.
Scoring
| CVSS 3.1 | 9.0 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
| EPSS | 0.31% probability of exploitation · percentile 22.2% · 2026-06-18T12:00:27Z |
| Published | 2026-03-30 |
| Last modified | 2026-04-06 |
Underlying weaknesses· 1
References
1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Weakness | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-79 | 0% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.