Stored Cross-Site Scripting (XSS) occurs when an attacker injects malicious code into a website's database. This code is then executed when other users, including administrators, view the affected content. Stored XSS can lead to account takeover and other severe security breaches.

What is improper session invalidation?

Improper session invalidation occurs when a web application fails to properly terminate a user's session after certain events, such as account deletion. This can allow a deleted user to maintain unauthorized access to the system until the session expires or the user manually logs out.

How do I update ci4-cms-erp/ci4ms?

You can update ci4-cms-erp/ci4ms using the Composer package manager. Run the command `composer update ci4-cms-erp/ci4ms` in your project directory to update to the latest version. Ensure you test the updated version in a staging environment before deploying to production.

What are the risks of not patching these CI4MS vulnerabilities?

Failing to patch these vulnerabilities can lead to severe consequences, including full account takeover, privilege escalation, and complete compromise of the application. Attackers can exploit these vulnerabilities to execute arbitrary JavaScript, steal sensitive data, and disrupt services.

Multiple Vulnerabilities in CI4MS

Multiple vulnerabilities, including stored cross-site scripting (XSS) and improper session invalidation, have been discovered in CI4MS. These vulnerabilities could allow for account takeover, privilege escalation, and unauthorized access. Users of affected versions are strongly advised to update to version 0.31.0.0 as soon as possible.

These vulnerabilities range from medium to critical, potentially leading to full application compromise.

What is Ci4 Cms Erp/ci4ms?

Ci4 Cms Erp/ci4ms is a component for php. It provides content management and ERP functionalities. Due to vulnerabilities in input sanitization and session management, attackers can exploit the system to execute arbitrary JavaScript, escalate privileges, and maintain unauthorized access. To learn more about Ci4 Cms Erp/ci4ms and its functionalities, you can search all ci4-cms-erp/ci4ms CVEs. Keeping your components up to date is crucial for maintaining a secure application.

CVE-2026-34558: Stored DOM XSS in Methods Management

CVSS9.1

Affected versionsUsers of CI4MS version 0.28.6.0 and earlier are affected by this vulnerability.

Critical vulnerability allowing remote code execution.

EPSS score of 0.046 indicates a low probability of exploitation.

The application fails to sanitize user input in the Methods Management functionality, leading to stored DOM-based XSS. An attacker can inject malicious JavaScript payloads into method creation and management inputs, which are then executed globally across the application's navigation.

How to fix CVE-2026-34558 in Ci4 Cms Erp/ci4ms

Patch immediately

1.Update the ci4-cms-erp/ci4ms component to version 0.31.0.0 or later.

Update ci4-cms-erp/ci4ms

composer update ci4-cms-erp/ci4ms

Workaround: Implement strict output encoding (HTML entity encoding) before rendering user input.

NextGuard automatically flags CVE-2026-34558 if Ci4 Cms Erp/ci4ms appears in any of your monitored projects — no manual lookup required.

CVE-2026-34557: Stored DOM XSS in Permissions Management

CVSS9.1

Affected versionsUsers of CI4MS version 0.28.6.0 and earlier are affected by this vulnerability.

Critical vulnerability allowing remote code execution.

EPSS score of 0.046 indicates a low probability of exploitation.

The application fails to sanitize user input within group and role management, leading to stored XSS. An attacker can inject malicious JavaScript payloads into group-related input fields, which are then executed when an administrator views the role management interface.

How to fix CVE-2026-34557 in Ci4 Cms Erp/ci4ms

Patch immediately

1.Update the ci4-cms-erp/ci4ms component to version 0.31.0.0 or later.

Update ci4-cms-erp/ci4ms

composer update ci4-cms-erp/ci4ms

Workaround: Implement HTML encoding and sanitization of user inputs.

NextGuard automatically flags CVE-2026-34557 if Ci4 Cms Erp/ci4ms appears in any of your monitored projects — no manual lookup required.

CVE-2026-34562: Stored DOM XSS in System Settings (Company Information)

CVSS4.7

Affected versionsUsers of CI4MS version 0.28.6.0 and earlier are affected by this vulnerability.

Medium vulnerability with potential for limited impact.

EPSS score of 0.038 indicates a low probability of exploitation.

The application fails to sanitize user input in System Settings - Company Information, leading to stored DOM XSS. An attacker can inject malicious JavaScript payloads into company information fields, which are then executed immediately on the same settings page.

How to fix CVE-2026-34562 in Ci4 Cms Erp/ci4ms

Patch within 7 days

1.Update the ci4-cms-erp/ci4ms component to version 0.31.0.0 or later.

Update ci4-cms-erp/ci4ms

composer update ci4-cms-erp/ci4ms

Workaround: Implement output encoding and input sanitization.

NextGuard automatically flags CVE-2026-34562 if Ci4 Cms Erp/ci4ms appears in any of your monitored projects — no manual lookup required.

CVE-2026-34566: Stored DOM XSS in Pages Management

CVSS9.1

Affected versionsUsers of CI4MS version 0.28.6.0 and earlier are affected by this vulnerability.

Critical vulnerability allowing remote code execution.

EPSS score of 0.046 indicates a low probability of exploitation.

The application fails to sanitize user input in the Page Management functionality, leading to stored DOM XSS. An attacker can inject malicious JavaScript payloads into page-related input fields, which are then executed in administrative page lists and public-facing page views.

How to fix CVE-2026-34566 in Ci4 Cms Erp/ci4ms

Patch immediately

1.Update the ci4-cms-erp/ci4ms component to version 0.31.0.0 or later.

Update ci4-cms-erp/ci4ms

composer update ci4-cms-erp/ci4ms

Workaround: Implement output encoding and input sanitization.

NextGuard automatically flags CVE-2026-34566 if Ci4 Cms Erp/ci4ms appears in any of your monitored projects — no manual lookup required.

CVE-2026-34570: Improper Session Invalidation on Account Deletion

CVSS8.8

Affected versionsUsers of CI4MS version 0.28.6.0 and earlier are affected by this vulnerability.

High vulnerability leading to unauthorized access.

EPSS score of 0.083 indicates a low probability of exploitation.

The application fails to immediately revoke active user sessions when an account is deleted, leading to persistent unauthorized access. A deleted user remains fully logged in and can continue performing all actions allowed by their role indefinitely.

How to fix CVE-2026-34570 in Ci4 Cms Erp/ci4ms

Patch immediately

1.Update the ci4-cms-erp/ci4ms component to version 0.31.0.0 or later.

Update ci4-cms-erp/ci4ms

composer update ci4-cms-erp/ci4ms

Workaround: No practical workaround exists; patching is essential.

NextGuard automatically flags CVE-2026-34570 if Ci4 Cms Erp/ci4ms appears in any of your monitored projects — no manual lookup required.

Stay ahead of php vulnerabilities

Proactively detect and remediate php vulnerabilities in your projects. Monitor your php dependencies to prevent potential exploits.

Compare Plans

Frequently asked questions

Multiple vulnerabilities in CI4MS require immediate attention. Update to version 0.31.0.0 to mitigate the risks and ensure the security of your application. See all php vulnerabilities.