{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T07:54:08.186","vulnerabilities":[{"cve":{"id":"CVE-2026-34558","sourceIdentifier":"security-advisories@github.com","published":"2026-03-30T21:17:10.493","lastModified":"2026-04-06T16:10:04.077","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are later rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). This issue has been patched in version 0.31.0.0."},{"lang":"es","value":"CI4MS es un esqueleto de CMS basado en CodeIgniter 4 que ofrece una arquitectura modular lista para producción con autorización RBAC y soporte de temas. Antes de la versión 0.31.0.0, la aplicación no logra sanear correctamente la entrada controlada por el usuario dentro de la funcionalidad de Gestión de Métodos al crear o gestionar métodos/páginas de la aplicación. Múltiples campos de entrada aceptan cargas útiles de JavaScript controladas por el atacante que se almacenan en el servidor sin saneamiento ni codificación de salida. Estos valores almacenados se renderizan posteriormente directamente en interfaces administrativas y componentes de navegación global sin la codificación adecuada, lo que resulta en Cross-Site Scripting (XSS) persistente basado en DOM. Este problema ha sido parcheado en la versión 0.31.0.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.1,"impactScore":5.3},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H","baseScore":9.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.3,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*","versionEndExcluding":"0.31.0.0","matchCriteriaId":"805F6B8A-9324-4CA4-BADE-439CC15DA14C"}]}]}],"references":[{"url":"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v77r-xg3p-75g7","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory","Mitigation"]}]}}]}