Plattform
php
Komponente
ci4-cms-erp/ci4ms
Behoben in
0.31.1
0.31.0.0
CVE-2026-34565 describes a stored DOM Cross-Site Scripting (XSS) vulnerability within the ci4-cms-erp/ci4ms application. This vulnerability allows attackers to inject malicious scripts that are persistently stored and rendered, potentially compromising administrative dashboards and public-facing navigation menus. The vulnerability affects versions of ci4-cms-erp/ci4ms up to and including 0.28.6.0, with a fix available in version 0.31.0.0.
The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code that will be executed in the context of any user accessing the affected menu. This could lead to account takeover, data theft (including sensitive administrative credentials), redirection to malicious websites, or defacement of the application. Because the payload is stored persistently, it affects all users who view the compromised menu, amplifying the potential blast radius. The stored nature of the XSS makes it particularly dangerous, as it can persist even after the initial attack vector is removed.
CVE-2026-34565 was published on 2026-04-01. Its CVSS score of 9.1 (CRITICAL) indicates a high probability of exploitation. Public proof-of-concept (POC) code is currently unknown, but the ease of exploitation inherent in DOM XSS suggests that a POC may emerge quickly. There are no indications of active campaigns targeting this vulnerability at this time, but given the severity and ease of exploitation, it is likely to become a target. Monitor security advisories and threat intelligence feeds for updates.
Organizations using ci4-cms-erp/ci4ms for their ERP and CMS needs, particularly those relying on the menu management functionality for navigation or administrative access, are at risk. Shared hosting environments where multiple websites share the same server resources are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Legacy configurations with outdated security practices are also at increased risk.
• wordpress / composer / npm:
grep -r '<script>' /var/www/ci4ms/application/controllers/Admin/Menu.php
grep -r '->view()' /var/www/ci4ms/application/views/*• generic web:
curl -I http://your-ci4ms-site.com/admin/menu/add_post | grep -i 'x-xss-protection'• generic web:
Inspect the HTML source code of the menu pages for any unexpected <script> tags or JavaScript code.
disclosure
patch
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34565 is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. If an immediate upgrade is not possible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input in the menu management section. Specifically, look for patterns indicative of JavaScript injection attempts. Additionally, review and sanitize any existing post data in the menu management system to remove any potentially malicious scripts. After upgrading, confirm the fix by adding a new post to a menu, viewing the menu, and verifying that the post content is properly sanitized and does not trigger any JavaScript execution.
Actualice CI4MS a la versión 0.31.0.0 o superior. Esta versión corrige la vulnerabilidad XSS almacenada en la gestión de menús.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34565 is a CRITICAL stored DOM XSS vulnerability in ci4-cms-erp/ci4ms, allowing attackers to inject malicious scripts via posts added to navigation menus.
You are affected if you are using ci4-cms-erp/ci4ms versions ≤0.28.6.0 and have not upgraded to 0.31.0.0 or applied appropriate mitigations.
Upgrade to version 0.31.0.0 or later. Implement input validation and output encoding as temporary workarounds.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation.
Refer to the official ci4-cms-erp/ci4ms project repository or website for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.