CriticalPublic exploit

Stored XSS in CI4MS profile name field

IdentifiersCVE-2026-34989CWE-79· Improper Neutralization of Input…

CVE-2026-34989 is a stored cross-site scripting vulnerability in CI4MS, a CodeIgniter 4-based CMS skeleton. In versions prior to 31.0.0.0, the application does not properly sanitize or safely encode user-controlled input supplied when a user updates their profile name, including fields such as full name or username. An attacker can place a malicious JavaScript payload into the profile name field; the application stores that payload server-side and later renders it in multiple views without proper output encoding. When those views are loaded, the injected script executes in the victim’s browser in the context of the CI4MS application.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated low-privilege attacker to execute arbitrary JavaScript in the browser context of users who view affected pages containing the attacker-controlled profile name. This can enable session theft, credential capture, unauthorized actions on behalf of victims, DOM manipulation, content injection, and access to sensitive data available to the victim within the application. Because the payload is stored server-side and rendered in multiple views, exploitation can persist and affect multiple users until the malicious value is removed.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, restrict or disable profile name editing for untrusted users, sanitize existing stored profile name values, and apply strict output encoding anywhere profile names are rendered. Additional compensating controls may include deploying a restrictive Content Security Policy to reduce script execution impact, monitoring for suspicious profile updates, and reviewing logs or database records for injected payloads in user profile fields.

Remediation

Patch, then assume compromise.

Upgrade CI4MS to version 31.0.0.0 or later, which fixes the vulnerability. Ensure all profile-name-related fields are handled with context-appropriate output encoding at every render point, and validate or sanitize stored user-supplied values as a defense-in-depth measure. Review templates and views that display profile names to confirm unsafe raw rendering is eliminated.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Ci4-Cms-ErpCi4msapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cvefeed high severityNews

Apr 6, 2026

CVE-2026-34989 - CI4MS affected by Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

A stored cross-site scripting vulnerability in CI4MS where unsanitized profile name input is stored and later rendered without proper output encoding.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3