Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
0.31.0.0
CVE-2026-34559 describes a stored DOM Cross-Site Scripting (XSS) vulnerability within the ci4-cms-erp/ci4ms CMS ERP system. This vulnerability allows attackers to inject malicious JavaScript payloads into blog tag names, which are then stored and rendered without proper sanitization. The vulnerability affects versions of ci4-cms-erp/ci4ms up to and including 0.28.6.0, and a fix is available in version 0.31.0.0.
The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code that will execute in the context of any user accessing the affected blog tag pages or administrative interfaces. This could lead to account takeover, data theft (including sensitive user information), session hijacking, and defacement of the website. The stored nature of the XSS means the payload persists even after the initial attack, potentially affecting numerous users over time. Successful exploitation requires an attacker to create or edit a blog tag with the malicious payload, but once deployed, the impact is widespread.
CVE-2026-34559 was publicly disclosed on 2026-04-01. The vulnerability is considered critical due to the ease of exploitation and potential impact. There is currently no indication of active exploitation campaigns, and no public proof-of-concept (POC) code has been released. The vulnerability has not been added to the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34559 is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious tag names containing JavaScript code. Additionally, carefully review and sanitize all user-supplied input within the blog management module. Monitor application logs for unusual activity, particularly related to blog tag creation and modification. There are no specific Sigma or YARA rules available at this time, but monitoring for JavaScript injection attempts in tag names is recommended.
Actualice CI4MS a la versión 0.31.0.0 o superior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) almacenado al sanitizar correctamente las entradas del usuario al crear o editar etiquetas de blog.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34559 is a critical stored XSS vulnerability in ci4-cms-erp/ci4ms versions up to 0.28.6.0, allowing attackers to inject malicious JavaScript via blog tag names.
Yes, if you are using ci4-cms-erp/ci4ms version 0.28.6.0 or earlier, you are vulnerable to this XSS attack.
Upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. As a temporary workaround, implement a WAF rule to filter suspicious tag names.
There is currently no evidence of active exploitation, but the vulnerability's criticality warrants immediate attention and mitigation.
Refer to the official ci4-cms-erp project repository or website for the latest security advisories and updates related to CVE-2026-34559.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.