CVE-2026-34563 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 3, 2026
CI4MS - Stored XSS
Overview
CI4MS < 0.31.0.0 contains a stored XSS caused by improper sanitization of backup upload filenames and unsafe rendering in backup management views, letting attackers inject and execute JavaScript payloads, exploit requires uploading a crafted backup file.
Severity & Score
Impact
Attackers can execute arbitrary JavaScript in the context of the application, potentially leading to session hijacking or user impersonation.
Mitigation
Update to version 0.31.0.0 or later.
References
Social Media Activity(1 post)
š“ CVE-2026-34563 - Critical (9.1) CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when handling... š https://www.thehackerwire.com/vulnerability/CVE-2026-34563/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-34563
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- stored_xss
- Status
- unconfirmed
- EPSS
- 4.6%
- Social Posts
- 1
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L