CVE-2026-35035CRITICAL 9.0EPSS p36.1%

CVE-2026-35035CVE-2026-35035

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. These values are persisted in the database and rendered unsafely on public-facing pages only, such as the main landing page. There is no execution in the administrative dashboard—the vulnerability only impacts the public frontend. This vulnerability is fixed in 0.31.2.0.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS0.46% probability of exploitation · percentile 36.1% · 2026-06-18T12:00:27Z
Published2026-04-06
Last modified2026-04-22

Underlying weaknesses· 1

CWE-79

References

  1. https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5ghq-42rg-769x
  2. https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5ghq-42rg-769x

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34562
CVE
CVE-2026-34561
CVE
CVE-2026-34566
CVE
CVE-2026-34557
CVE
CVE-2026-34558
CVE
CVE-2026-34568
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.