Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
31.0.0
CVE-2026-34561 describes a stored DOM Cross-site Scripting (XSS) vulnerability discovered in the ci4-cms-erp/ci4ms CMS. This vulnerability allows attackers to inject malicious scripts through unsanitized input within the System Settings – Social Media Management section. Affected versions are those prior to 31.0.0. The vulnerability is mitigated by upgrading to the patched version.
The XSS vulnerability in ci4-cms-erp/ci4ms allows an attacker to inject arbitrary JavaScript code into the application. This code executes within the context of the user's browser, potentially enabling the attacker to steal session cookies, redirect users to malicious websites, or deface the application. The stored nature of the vulnerability means the injected payload persists, potentially affecting multiple users who visit the affected page. Successful exploitation could lead to complete account compromise and data exfiltration, similar to other XSS attacks targeting CMS platforms.
CVE-2026-34561 was publicly disclosed on 2026-04-01. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation, but the stored nature of the XSS suggests a potential for medium-level exploitation probability.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
The primary mitigation for CVE-2026-34561 is to upgrade ci4-cms-erp/ci4ms to version 31.0.0 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Input validation and output encoding should be applied to all user-supplied data within the System Settings – Social Media Management section. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Review and update any existing input sanitization routines to ensure they are robust and effective. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the Social Media configuration fields and verifying that it is properly sanitized.
Update CI4MS to version 0.31.0.0 or higher. This version fixes the stored XSS vulnerability in the system configuration, specifically in social media management.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34561 is a stored DOM XSS vulnerability in ci4-cms-erp/ci4ms versions prior to 31.0.0, allowing attackers to inject malicious scripts via Social Media configuration fields.
You are affected if you are using ci4-cms-erp/ci4ms version 0.31.3.0 or earlier. Upgrade to 31.0.0 to mitigate the risk.
Upgrade ci4-cms-erp/ci4ms to version 31.0.0 or later. Implement input validation and output encoding as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's stored nature makes it a potential target.
Refer to the official ci4-cms-erp/ci4ms project website or repository for the latest security advisories and updates.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.