CVE-2026-34565 โ€” CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready,โ€ฆ

/HIGH
CVE Notify vulnerabilitycve
CVE-2026-34565 โ€” CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready,โ€ฆ

Image via opengraph.githubassets.com

๐Ÿšจ CVE-2026-34565 CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Posts to navigation menus through th

Release v0.31.0.0 - Major Security & Framework Update (CI 4.7.1 & Shield Integration) ยท ci4-cms-erp/ci4ms
github.com

What This Means For You

  • New vulnerability disclosed โ€” verify if your stack is exposed.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Component: Web Shell Persistence T1059.007 Command and Scripting Interpreter: JavaScript Execution

Indicators of Compromise

IDTypeIndicator
CVE-2026-34565 XSS CI4MS prior to 0.31.0.0, Menu Management functionality, failure to sanitize user-controlled input when adding Posts to navigation menus, stored DOM-based XSS due to unsafely rendered values in administrative dashboards and public-facing navigation menus.
๐Ÿ”Ž
Turn this CVE into SIEM detection coverage Generate detection rules for Splunk, Sentinel, QRadar & Elastic โ€” straight from this vulnerability. Use /detect in the Intel Bot.
Open Intel Bot โ†’
Source & Attribution
Source PlatformTelegram
ChannelCVE Notify
PublishedApril 06, 2026 at 19:57 UTC

This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.

Believe this infringes your rights? Submit a takedown request.

Related coverage

BookingPress Pro Plugin: Critical RCE via Unauthenticated File Upload

CVE-2026-6960 โ€” The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-22678 โ€” The Email Template Description Field Of The System And Serve Cross-Site Scripting (XSS)

CVE-2026-22678 โ€” Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /5.4 /⚑ 2 IOCs /⚙ 3 Sigma

LiteLLM Privilege Escalation: User Role Manipulation Grants Admin Access (CVE-2026-47102)

CVE-2026-47102 โ€” LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to...

vulnerabilityCVEhigh-severitycwe-863
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 2 Sigma