Home / Vulnerability Intelligence / CVE-2026-34557

CVE-2026-34557 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 1, 2026

CI4MS - Stored XSS

Published: March 30, 2026Updated: April 1, 2026Remote Exploitable

Overview

CI4MS < 0.31.0.0 contains a stored cross-site scripting caused by improper sanitization of user input in group and role management, letting attackers inject malicious scripts rendered in admin views, exploit requires admin access.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 4.6%(Probability of exploitation in next 30 days)

Impact

Attackers can execute malicious scripts in admin views, potentially leading to session hijacking or privilege abuse.

Mitigation

Update to version 0.31.0.0 or later.

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-rpjr-985c-qhvm

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Mar 30, 2026

🔴 CVE-2026-34557 - Critical (9.1) CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within group ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34557/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Mar 30, 2026

View original post

Related Resources

Details

CVE ID: CVE-2026-34557
Severity: Critical
CVSS Score: 9.1
Type: stored_xss
Status: unconfirmed
EPSS: 4.6%
Social Posts: 2

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

EPSS Score

4.6%Probability of exploitation in the next 30 days