Plattform
php
Komponente
ci4-cms-erp/ci4ms
Behoben in
0.31.1
0.31.0.0
CVE-2026-34559 describes a stored DOM Cross-Site Scripting (XSS) vulnerability within the ci4-cms-erp/ci4ms CMS ERP system. This vulnerability allows attackers to inject malicious JavaScript payloads into blog tag names, which are then stored and rendered without proper sanitization. The vulnerability affects versions of ci4-cms-erp/ci4ms up to and including 0.28.6.0, and a fix is available in version 0.31.0.0.
The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code that will execute in the context of any user accessing the affected blog tag pages or administrative interfaces. This could lead to account takeover, data theft (including sensitive user information), session hijacking, and defacement of the website. The stored nature of the XSS means the payload persists even after the initial attack, potentially affecting numerous users over time. Successful exploitation requires an attacker to create or edit a blog tag with the malicious payload, but once deployed, the impact is widespread.
CVE-2026-34559 was publicly disclosed on 2026-04-01. The vulnerability is considered critical due to the ease of exploitation and potential impact. There is currently no indication of active exploitation campaigns, and no public proof-of-concept (POC) code has been released. The vulnerability has not been added to the CISA KEV catalog as of this writing.
Organizations using ci4-cms-erp/ci4ms for their ERP and CMS needs are at risk, particularly those running versions 0.28.6.0 or earlier. Shared hosting environments where multiple websites share the same server instance are also at increased risk, as a compromised blog tag could potentially impact other websites on the same server.
• wordpress / composer / npm:
grep -r "<script" /var/www/ci4ms/application/controllers/Blog.php• generic web:
curl -I https://your-ci4ms-site.com/blog/tag/malicious<script>alert(1)</script>• generic web: Inspect the HTML source code of blog tag pages for any unexpected JavaScript code. • generic web: Review access logs for requests containing suspicious characters in the tag name parameter.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34559 is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious tag names containing JavaScript code. Additionally, carefully review and sanitize all user-supplied input within the blog management module. Monitor application logs for unusual activity, particularly related to blog tag creation and modification. There are no specific Sigma or YARA rules available at this time, but monitoring for JavaScript injection attempts in tag names is recommended.
Actualice CI4MS a la versión 0.31.0.0 o superior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) almacenado al sanitizar correctamente las entradas del usuario al crear o editar etiquetas de blog.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34559 is a critical stored XSS vulnerability in ci4-cms-erp/ci4ms versions up to 0.28.6.0, allowing attackers to inject malicious JavaScript via blog tag names.
Yes, if you are using ci4-cms-erp/ci4ms version 0.28.6.0 or earlier, you are vulnerable to this XSS attack.
Upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. As a temporary workaround, implement a WAF rule to filter suspicious tag names.
There is currently no evidence of active exploitation, but the vulnerability's criticality warrants immediate attention and mitigation.
Refer to the official ci4-cms-erp project repository or website for the latest security advisories and updates related to CVE-2026-34559.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.