CI4MS Flaws Enable Account Takeover and Persistent Access After Deletion
CI4MS, a CodeIgniter 4-based CMS skeleton, patched two high-severity vulnerabilities in version 0.31.0.0 that could let attackers compromise accounts and bypass intended access controls. CVE-2026-34557 affects versions before that release and stems from improper sanitization in group and role management fields, allowing attackers with low privileges to inject malicious JavaScript that is later rendered in privileged administrative views. The stored DOM XSS can be used in the permissions-management context to escalate privileges and potentially achieve full account takeover across roles.
A second flaw, CVE-2026-34570, allowed deleted users to keep using already-active sessions because account deletion did not invalidate existing authentication tokens or sessions. In affected versions prior to 0.31.0.0, access checks were enforced only at login, so a removed account could retain unauthorized access until the session ended or the user logged out manually. The issue undermined access control and exposed confidentiality, integrity, and availability until the vendor corrected session handling in the patched release.
Timeline
Apr 1, 2026
CVE-2026-34570 published for CI4MS session invalidation flaw
A CVE entry was published for a CI4MS logic flaw where deleting a user account did not revoke active sessions. As a result, already-authenticated deleted users could retain unauthorized access until logout; the issue affected versions prior to 0.31.0.0.
Apr 1, 2026
CVE-2026-34567 published for CI4MS Categories stored XSS flaw
A CVE entry was published for a stored cross-site scripting vulnerability in CI4MS Categories that affected versions prior to 0.31.0.0. The flaw allowed malicious JavaScript stored in blog post category content to execute when rendered, enabling privilege escalation and potential full account takeover for authenticated users.
Mar 30, 2026
CVE-2026-34557 published for CI4MS stored DOM XSS flaw
A CVE entry was published for a stored DOM XSS vulnerability in CI4MS group and role management functionality. The flaw could let attackers inject malicious JavaScript into group-related fields that would execute in privileged administrative views, enabling privilege escalation and potential account takeover.
Mar 30, 2026
CI4MS releases version 0.31.0.0 with fixes for two security flaws
CI4MS version 0.31.0.0 patched two vulnerabilities affecting earlier releases: a stored DOM XSS in group and role management later assigned CVE-2026-34557, and an improper session invalidation flaw later assigned CVE-2026-34570. Both issues affected versions prior to 0.31.0.0.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
CI4MS Flaws Enable Persistent Access and Admin Account Compromise
CI4MS, a CodeIgniter 4-based CMS skeleton, was found to contain two critical vulnerabilities affecting versions prior to `0.31.0.0`. One flaw, tracked as `CVE-2026-34572`, allowed users with existing sessions to remain authenticated after their accounts were deactivated because account status was only enforced at login. With no session expiration or account expiration controls in place, deactivated users could keep accessing the application indefinitely until they manually logged out, undermining intended access restrictions across all roles. A second issue, `CVE-2026-34571`, exposed the platform to stored cross-site scripting in backend user management. Improper sanitization of user-supplied input allowed persistent JavaScript to execute automatically when administrators viewed affected pages, creating a path to session hijacking, privilege escalation, and full administrative account compromise. Both vulnerabilities were addressed in CI4MS version `0.31.0.0`.
1 months ago
CI4MS Stored DOM XSS Flaws Enable Account Takeover and Privilege Escalation
Two high-severity vulnerabilities in **CI4MS**, a CodeIgniter 4-based CMS skeleton, allow authenticated low-privilege users to trigger **stored DOM-based XSS** that can lead to full account takeover across roles and privilege escalation. **`CVE-2026-34558`** affects the **Methods Management** functionality, where improperly sanitized and encoded user input can be stored server-side and later executed in administrative interfaces and global navigation components. A second flaw, **`CVE-2026-34565`**, impacts **Menu Management** for posts, where malicious post data added to navigation menus can execute in both admin dashboards and public-facing menus. Both issues are classified as **CWE-79** and carry the same **CVSS v3.1** vector, `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L`; they affect CI4MS versions prior to **`0.31.0.0`** and were patched in **`0.31.0.0`**.
3 weeks ago
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
3 days ago