CI4MS Stored DOM XSS Flaws Enable Account Takeover and Privilege Escalation
Two high-severity vulnerabilities in CI4MS, a CodeIgniter 4-based CMS skeleton, allow authenticated low-privilege users to trigger stored DOM-based XSS that can lead to full account takeover across roles and privilege escalation. CVE-2026-34558 affects the Methods Management functionality, where improperly sanitized and encoded user input can be stored server-side and later executed in administrative interfaces and global navigation components.
A second flaw, CVE-2026-34565, impacts Menu Management for posts, where malicious post data added to navigation menus can execute in both admin dashboards and public-facing menus. Both issues are classified as CWE-79 and carry the same CVSS v3.1 vector, AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L; they affect CI4MS versions prior to 0.31.0.0 and were patched in 0.31.0.0.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-34989 disclosed for CI4MS Profile & User Management XSS
A new CVE, CVE-2026-34989, was published for a stored DOM-based XSS vulnerability in CI4MS Profile & User Management affecting versions prior to 0.31.0.0. The flaw allows a low-privileged authenticated user to inject malicious JavaScript through profile name fields, potentially leading to privilege escalation and full account takeover, and is referenced by GitHub advisory GHSA-vr2g-rhm5-q4jr.
GitHub receives advisory for CVE-2026-34568
GitHub Security Advisories received a report for CVE-2026-34568 affecting CI4MS Blogs Posts on April 1, 2026. The stored DOM-based XSS flaw impacts versions prior to 0.31.0.0 and could enable privilege escalation and full account takeover through malicious blog post content rendered without proper output encoding.
GitHub receives advisory for CVE-2026-34563
GitHub's security advisory process received a report for CVE-2026-34563 affecting CI4MS Backup Management. The stored blind DOM-based XSS flaw impacts versions prior to 0.31.0.0 and can enable privilege escalation and full account takeover through malicious backup filename metadata rendered in backup management views.
GitHub receives advisory for CVE-2026-34564
GitHub Security Advisories received a report for CVE-2026-34564 affecting CI4MS Menu Management for Pages on April 1, 2026. The stored DOM-based XSS flaw impacts versions prior to 0.31.0.0 and can enable privilege escalation and full account takeover through unsanitized page data rendered in admin and public navigation menus.
GitHub receives advisory for CVE-2026-34566
GitHub Security Advisories received a report for CVE-2026-34566 affecting CI4MS Pages Management on April 1, 2026. The stored DOM-based XSS flaw impacts page creation and editing prior to version 0.31.0.0 and can lead to privilege escalation and account takeover.
GitHub receives advisory for CVE-2026-34559
GitHub's security advisory process received a report for CVE-2026-34559 affecting CI4MS Blogs Tags. The stored DOM XSS flaw impacts tag creation and editing prior to version 0.31.0.0 and could enable privilege escalation or account takeover from low-privileged access.
CVE-2026-34565 disclosed for CI4MS Menu Management XSS
CVE-2026-34565 was disclosed for CI4MS, detailing a stored DOM-based XSS vulnerability in the Menu Management (Posts) feature that could affect both administrative dashboards and public-facing navigation menus.
GitHub receives advisory for CVE-2026-34565
GitHub's security advisory process received the CI4MS Menu Management vulnerability report for CVE-2026-34565. The flaw involved stored DOM-based XSS via post data added to navigation menus.
CVE-2026-34558 published for CI4MS Methods Management XSS
A vulnerability tracked as CVE-2026-34558 was published for CI4MS, describing a stored DOM-based XSS issue in the Methods Management functionality caused by improper sanitization and output encoding of user-controlled input.
CI4MS fixes stored DOM XSS flaws in version 0.31.0.0
CI4MS released version 0.31.0.0 to patch multiple stored DOM-based XSS vulnerabilities affecting versions prior to 0.31.0.0, including flaws in Methods Management and Menu Management (Posts) that could enable privilege escalation and account takeover.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
CVE-2026-34989 - CI4MS affected by Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
cvefeed.io
Open sourceCVE-2026-34559 - CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
cvefeed.io
Open sourceCVE-2026-34564 - CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
cvefeed.io
Open sourceCVE-2026-34566 - CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
cvefeed.io
Open sourceCVE-2026-34563 - CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS
cvefeed.io
Open sourceCVE-2026-34568 - CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
cvefeed.io
Open sourceCVE-2026-34565 - CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
cvefeed.io
Open sourceCVE-2026-34558 - CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CI4MS Flaws Enable Persistent Access and Admin Account Compromise
CI4MS, a CodeIgniter 4-based CMS skeleton, was found to contain two critical vulnerabilities affecting versions prior to `0.31.0.0`. One flaw, tracked as `CVE-2026-34572`, allowed users with existing sessions to remain authenticated after their accounts were deactivated because account status was only enforced at login. With no session expiration or account expiration controls in place, deactivated users could keep accessing the application indefinitely until they manually logged out, undermining intended access restrictions across all roles. A second issue, `CVE-2026-34571`, exposed the platform to stored cross-site scripting in backend user management. Improper sanitization of user-supplied input allowed persistent JavaScript to execute automatically when administrators viewed affected pages, creating a path to session hijacking, privilege escalation, and full administrative account compromise. Both vulnerabilities were addressed in CI4MS version `0.31.0.0`.
Apr 2, 2026
CI4MS Flaws Enable Account Takeover and Persistent Access After Deletion
CI4MS, a CodeIgniter 4-based CMS skeleton, patched two high-severity vulnerabilities in version **0.31.0.0** that could let attackers compromise accounts and bypass intended access controls. **CVE-2026-34557** affects versions before that release and stems from improper sanitization in group and role management fields, allowing attackers with low privileges to inject malicious JavaScript that is later rendered in privileged administrative views. The stored DOM XSS can be used in the permissions-management context to escalate privileges and potentially achieve full account takeover across roles. A second flaw, **CVE-2026-34570**, allowed deleted users to keep using already-active sessions because account deletion did not invalidate existing authentication tokens or sessions. In affected versions prior to **0.31.0.0**, access checks were enforced only at login, so a removed account could retain unauthorized access until the session ended or the user logged out manually. The issue undermined access control and exposed confidentiality, integrity, and availability until the vendor corrected session handling in the patched release.
Apr 2, 2026
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
Apr 29, 2026