Stored XSS, or persistent XSS, occurs when malicious JavaScript code is injected into a website's database. This code is then executed whenever a user visits a page that displays the stored data, potentially leading to account takeover or other malicious activities.

CI4MS is a CodeIgniter 4-based CMS skeleton designed to provide a production-ready, modular architecture with RBAC authorization and theme support. It simplifies the development of complex web applications by offering a solid foundation and reusable components.

How do I update CI4MS?

You can update CI4MS using the Composer package manager. Run the command `composer update ci4ms` in your project's root directory to update to the latest version, which includes the necessary security patches.

What are the risks of not patching CI4MS?

Failing to patch CI4MS leaves your application vulnerable to stored XSS attacks. Attackers could potentially inject malicious code to compromise user accounts, escalate privileges, or deface your website. Immediate patching is strongly recommended.

CI4MS: Multiple Stored XSS Vulnerabilities (CVE-2026)

Multiple stored cross-site scripting (XSS) vulnerabilities have been identified in CI4MS, a CodeIgniter 4-based CMS. These vulnerabilities could allow attackers to perform account takeover and privilege escalation. A patch is available in version 0.31.0.0.

These vulnerabilities range from medium to critical, potentially allowing complete system compromise.

What is Ci4ms?

Ci4ms is a component for codeigniter. It is a CodeIgniter 4-based CMS skeleton that provides a production-ready, modular architecture with RBAC authorization and theme support. Ci4ms aims to simplify the development of complex web applications by providing a solid foundation and reusable components. To learn more, search all ci4ms CVEs.

CVE-2026-34565: Stored XSS in Menu Management (Posts)

CVSS9.1

Affected versionsThis vulnerability affects CI4MS versions prior to 0.31.0.0. Any application using the Menu Management functionality with Posts is vulnerable.

Critical vulnerability, allowing remote code execution.

EPSS score of 0.046 indicates a low probability of exploitation.

The CI4MS application fails to properly sanitize user-controlled input when adding Posts to navigation menus. This allows an attacker to inject malicious JavaScript code that is stored server-side and executed when the menu is rendered, leading to a DOM-based XSS attack.

How to fix CVE-2026-34565 in Ci4ms

Patch immediately

1.Update your CI4MS installation to version 0.31.0.0 or later.

Update CI4MS

composer update ci4ms

Workaround: There is no workaround. Update to the patched version.

NextGuard automatically flags CVE-2026-34565 if Ci4ms appears in any of your monitored projects — no manual lookup required.

CVE-2026-34561: Stored XSS in System Settings (Social Media Management)

CVSS4.7

Affected versionsThis vulnerability affects CI4MS versions prior to 0.31.0.0. Any application using the System Settings – Social Media Management functionality is vulnerable.

Medium vulnerability, potentially leading to information disclosure.

EPSS score of 0.038 indicates a low probability of exploitation.

The CI4MS application fails to properly sanitize user-controlled input within the System Settings – Social Media Management section. An attacker can inject malicious JavaScript code into various configuration fields, leading to a stored XSS attack.

How to fix CVE-2026-34561 in Ci4ms

Patch within 7 days

1.Update your CI4MS installation to version 0.31.0.0 or later.

Update CI4MS

composer update ci4ms

Workaround: There is no workaround. Update to the patched version.

NextGuard automatically flags CVE-2026-34561 if Ci4ms appears in any of your monitored projects — no manual lookup required.

CVE-2026-34569: Stored XSS in Blogs Categories

CVSS10.0

Affected versionsThis vulnerability affects CI4MS versions prior to 0.31.0.0. Any application using the Blogs Categories functionality is vulnerable.

Critical vulnerability, allowing unauthenticated remote code execution.

EPSS score of 0.047 indicates a low probability of exploitation.

The CI4MS application fails to properly sanitize user-controlled input when creating or editing blog categories. An attacker can inject malicious JavaScript code into the category title field, leading to a stored XSS attack across public-facing blog category pages and administrative interfaces.

How to fix CVE-2026-34569 in Ci4ms

Patch immediately

1.Update your CI4MS installation to version 0.31.0.0 or later.

Update CI4MS

composer update ci4ms

Workaround: There is no workaround. Update to the patched version.

NextGuard automatically flags CVE-2026-34569 if Ci4ms appears in any of your monitored projects — no manual lookup required.

Stay ahead of codeigniter vulnerabilities

Proactively detect and respond to security threats in your CodeIgniter applications. monitor your codeigniter dependencies for early warnings.

Compare Plans

Frequently asked questions

Multiple stored XSS vulnerabilities were discovered in CI4MS. Ensure you update to version 0.31.0.0 or later to mitigate these risks and see all codeigniter vulnerabilities.