Zero Day MonitorZDM

← Back to list

—

CVE-2026-34989PATCHED

composer · ci4-cms-erp/ci4ms

CI4MS affected by Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This vulnerability is fixed in 31.0.0.0.

Affected Products

Vendor	Product	Versions
composer	ci4-cms-erp/ci4ms	< 31.0.0.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-34989 | ci4-cms-erp ci4ms 0.28.5.0/0.31.0.0 cross site scripting

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

null

CWECWE-79

PublishedApr 3, 2026

Last enriched2h agov2

Tags

GHSA-vr2g-rhm5-q4jrcomposer

Trending Score21

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-35470EXP

OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals

HIGHCVE-2026-29782

OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2

HIGHCVE-2026-34236

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient

CRITICALCVE-2026-34557

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to proper

MEDIUMCVE-2026-35450

AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Updated: affectedVersions, severity, patchAvailable

Apr 6, 2026

Patch Available

Apr 6, 2026

Version History

v2

Last enriched 2h ago

v2Tier C2h ago

Updated affected versions to include 0.28.5.0, changed severity to HIGH, and noted that no exploit is available.

affectedVersionsseveritypatchAvailable

via VulDB

v13d ago

Initial creation