Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
0.31.0.0
CVE-2026-34557 describes a stored DOM Cross-Site Scripting (XSS) vulnerability discovered in ci4-cms-erp/ci4ms. This vulnerability allows attackers to inject malicious JavaScript payloads into group and role management fields, leading to potential administrative context execution. The vulnerability affects versions of ci4-cms-erp/ci4ms up to and including 0.28.6.0, and a fix is available in version 0.31.0.0.
The impact of this XSS vulnerability is significant, particularly given the administrative context in which it can be exploited. An attacker can inject arbitrary JavaScript code that will be executed in the browser of any user accessing the affected administrative views. This could lead to session hijacking, credential theft, defacement of the application, or even complete compromise of the server. The stored nature of the vulnerability means that the malicious payload persists on the server, potentially affecting multiple users over time. Exploitation could involve crafting a malicious group or role with a JavaScript payload in a vulnerable field, then enticing an administrator to view or modify that group/role, triggering the XSS attack.
Public details regarding CVE-2026-34557 are limited as of the publication date. The vulnerability's criticality (CVSS 9.1) suggests a high potential for exploitation. While no active campaigns have been publicly reported, the ease of exploitation and the potential impact make it a likely target for attackers. Further monitoring and threat intelligence gathering are recommended.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34557 is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. If upgrading immediately is not possible, consider implementing temporary workarounds. Input validation and output encoding should be implemented on all user-supplied data used in group and role management functionality. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and audit group and role configurations for any suspicious or unexpected JavaScript code.
Update CI4MS to version 0.31.0.0 or higher. This version fixes the Stored Cross-Site Scripting (XSS) vulnerability in group and role management, preventing the execution of malicious JavaScript code in the administrative context.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34557 is a critical stored DOM XSS vulnerability in ci4-cms-erp/ci4ms, allowing attackers to inject malicious JavaScript into group/role management fields, potentially leading to administrative context execution.
You are affected if you are using ci4-cms-erp/ci4ms versions 0.28.6.0 or earlier. Upgrade to 0.31.0.0 to resolve the vulnerability.
The recommended fix is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. Implement input validation and output encoding as a temporary workaround.
While no active campaigns have been publicly reported, the vulnerability's criticality and ease of exploitation suggest a high potential for exploitation. Continuous monitoring is advised.
Refer to the official ci4-cms-erp/ci4ms project repository or website for the latest advisory and security updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.