{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34563", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:31:39.265Z", "datePublished": "2026-04-01T21:25:13.797Z", "dateUpdated": "2026-04-02T16:23:49.154Z"}, "containers": {"cna": {"title": "CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-85m8-g393-jcxf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-85m8-g393-jcxf"}, {"name": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"}], "affected": [{"vendor": "ci4-cms-erp", "product": "ci4ms", "versions": [{"version": "< 0.31.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T21:25:13.797Z"}, "descriptions": [{"lang": "en", "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when handling backup uploads and processing backup metadata. An attacker can inject a malicious JavaScript payload into the backup filename via the uploaded xss.sql, which uses SQL functionality to insert the XSS payload server-side. This stored payload is later rendered unsafely in multiple backup management views without proper output encoding, leading to stored blind cross-site scripting (Blind XSS). This issue has been patched in version 0.31.0.0."}], "source": {"advisory": "GHSA-85m8-g393-jcxf", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-85m8-g393-jcxf", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:12:18.245287Z", "id": "CVE-2026-34563", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:23:49.154Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*", "matchCriteriaId": "805F6B8A-9324-4CA4-BADE-439CC15DA14C", "versionEndExcluding": "0.31.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when handling backup uploads and processing backup metadata. An attacker can inject a malicious JavaScript payload into the backup filename via the uploaded xss.sql, which uses SQL functionality to insert the XSS payload server-side. This stored payload is later rendered unsafely in multiple backup management views without proper output encoding, leading to stored blind cross-site scripting (Blind XSS). This issue has been patched in version 0.31.0.0."}], "id": "CVE-2026-34563", "lastModified": "2026-04-07T21:33:51.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-01T22:16:19.800", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-85m8-g393-jcxf"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-85m8-g393-jcxf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.31.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ci4ms", "source": "cna", "vendor": "ci4-cms-erp"}, "product": "ci4ms", "vendor": "ci4-cms-erp"}], "analysis": {"en": {"generated_at": "2026-04-07T23:36:30.048196+00:00", "value": {"mitigation_remediation": ["Apply CI4MS version 0.31.0.0 or later to remove the XSS issue", "Verify that the running instance matches the patched version", "If upgrading immediately is not feasible, block or restrict access to the backup upload feature until the patch is applied", "Ensure output encoding is enabled for all backup metadata before rendering", "Monitor logs for abnormal backup uploads or JavaScript activity in the backup views"], "summary": {"action": "Immediate Patch", "impact": "Stored blind XSS causing full account takeover and privilege escalation"}, "threat_synthesis": {"affected_systems": "The affected vendor is ci4\u2011cms\u2011erp and the product is CI4MS. Any instance running a version older than 0.31.0.0 is vulnerable; the issue was addressed in the 0.31.0.0 release.", "description_and_impact": "CI4MS allows attackers to embed malicious JavaScript into the filename of an uploaded backup file, which the system stores and later renders in multiple backup management views without proper encoding. This stored blind cross\u2011site scripting flaw can be exploited to take over any user account, including those with highest privileges, and to elevate permissions for broader access. The weakness is a classic XSS vulnerability classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 9.1 indicates high severity, yet the EPSS score of less than 1% suggests current exploit activity is very low. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires the attacker to upload a backup file through the backup interface, a path that typically requires authenticated access. Once the payload is stored, it will execute when any authorized user views the backup, allowing attackers to hijack accounts and boost privileges."}}}}, "created": "2026-04-02T07:47:20.462893+00:00", "updated": "2026-04-08T19:56:46.412495+00:00", "vendors": ["ci4-cms-erp", "ci4-cms-erp$PRODUCT$ci4ms"]}