Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
0.31.0.0
CVE-2026-34558 is a stored DOM Cross-Site Scripting (XSS) vulnerability discovered in ci4-cms-erp/ci4ms. This vulnerability allows attackers to inject malicious JavaScript code through unsanitized input fields within the Methods Management functionality. The injected code is stored server-side and automatically executed across all pages where the affected method is rendered, posing a significant risk to application users. Affected versions are those prior to 0.31.0.0, with a fix released in that version.
The impact of this XSS vulnerability is severe. An attacker can inject arbitrary JavaScript code that will execute in the context of any user accessing a page utilizing the affected method. This could lead to account takeover, data theft (including sensitive user information and application data), session hijacking, and defacement of the application. The persistent nature of the stored payload means that a single successful injection can affect a large number of users across multiple pages. The global scope of the method rendering amplifies the potential blast radius, potentially impacting all users of the application.
CVE-2026-34558 was publicly disclosed on 2026-04-01. The vulnerability's severity is rated as CRITICAL (CVSS 9.1). No public proof-of-concept (PoC) code has been publicly released as of this writing, but the ease of exploitation suggests that it is likely to become a target for attackers. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34558 is to upgrade to version 0.31.0.0 or later, which contains the necessary fixes. If upgrading immediately is not feasible, consider implementing temporary workarounds. Input validation and output encoding should be applied to all user-supplied data within the Methods Management functionality. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review and update any existing WAF rules to specifically target XSS patterns related to method creation and management. Monitor application logs for suspicious activity, particularly related to method creation and modification.
Update CI4MS to version 0.31.0.0 or higher. This version fixes the Stored Cross-Site Scripting (XSS) vulnerabilities in the Methods Management functionality, preventing the execution of malicious JavaScript code in the administrators' browsers.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34558 is a critical stored DOM XSS vulnerability in ci4-cms-erp/ci4ms, allowing attackers to inject malicious JavaScript via method management inputs.
Yes, if you are using ci4-cms-erp/ci4ms versions prior to 0.31.0.0, you are vulnerable to this XSS attack.
Upgrade to version 0.31.0.0 or later to remediate the vulnerability. Implement input validation and output encoding as a temporary workaround.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest it is likely to become a target.
Refer to the official ci4-cms-erp project repository or website for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.