Home / Vulnerability Intelligence / CVE-2026-34559

CVE-2026-34559 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 3, 2026

CI4MS - Stored XSS

Published: April 1, 2026Updated: April 3, 2026Remote Exploitable

Overview

CI4MS < 0.31.0.0 contains a stored cross-site scripting caused by improper sanitization of user input in blog tag creation/editing, letting attackers inject malicious JavaScript executed on public and admin pages, exploit requires user input submission.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 1.7%(Probability of exploitation in next 30 days)

Impact

Attackers can execute malicious scripts in users' browsers, potentially stealing credentials or performing actions on behalf of users.

Mitigation

Update to version 0.31.0.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 2, 2026

🔴 CVE-2026-34559 - Critical (9.1) CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34559/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-34559
Severity: Critical
CVSS Score: 9.1
Type: stored_xss
Status: unconfirmed
EPSS: 1.7%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

EPSS Score

1.7%Probability of exploitation in the next 30 days