CVE-2026-34989: Stored XSS in ci4-cms-erp/ci4ms <=0.31.3.0
Platform
codeigniter
Component
ci4ms
Fixed in
31.0.0
CVE-2026-34989 describes a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript code into their profile name, an attacker can execute arbitrary scripts in the browsers of other users. This affects ci4-cms-erp/ci4ms versions up to and including 0.31.3.0. The vulnerability is fixed in version 31.0.0.0.
How to fix
Actualice a la versión 31.0.0 o superior para mitigar la vulnerabilidad. Esta versión incluye una sanitización adecuada de la entrada del usuario al actualizar el perfil, previniendo la inyección de código JavaScript malicioso.
Frequently asked questions
What is CVE-2026-34989?
CVE-2026-34989 is a stored cross-site scripting (XSS) vulnerability in ci4-cms-erp/ci4ms that allows attackers to inject malicious JavaScript code into user profiles.
Am I affected by CVE-2026-34989?
You are affected if you are using ci4-cms-erp/ci4ms version 0.31.3.0 or earlier. An attacker could exploit this to execute arbitrary JavaScript in the browsers of other users.
How do I fix CVE-2026-34989?
Upgrade to version 31.0.0.0 or later of ci4-cms-erp/ci4ms. This version contains a fix that prevents the injection of malicious JavaScript code.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free