Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
0.31.0.0
CVE-2026-34562 describes a stored DOM Cross-Site Scripting (XSS) vulnerability within the ci4-cms-erp/ci4ms system. This vulnerability allows attackers to inject malicious scripts through unsanitized input in the System Settings – Company Information section, resulting in immediate same-page execution. The vulnerability impacts versions of ci4-cms-erp/ci4ms up to and including 0.28.6.0, and a fix is available in version 0.31.0.0.
An attacker can leverage this XSS vulnerability to execute arbitrary JavaScript code in the context of a user's browser session. This could lead to session hijacking, credential theft, or defacement of the application. The stored nature of the vulnerability means that the malicious script persists on the server, potentially affecting multiple users who view the compromised company information page. Successful exploitation could also allow an attacker to redirect users to phishing sites or install malware, expanding the potential impact beyond the immediate application. The immediate same-page execution makes detection and prevention more challenging as the payload is executed immediately upon page load.
CVE-2026-34562 was publicly disclosed on 2026-04-01. The vulnerability is not currently listed on the CISA KEV catalog. There are no publicly known proof-of-concept exploits available at this time, but the ease of exploitation inherent in DOM XSS suggests a potential for rapid exploitation if a PoC is released. The vulnerability's impact is amplified by the stored nature of the payload, making it a persistent threat.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
The primary mitigation for CVE-2026-34562 is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input in the company information fields. Specifically, look for patterns associated with JavaScript injection, such as <script> tags, event handlers (e.g., onload, onclick), and common XSS payloads. Additionally, review and tighten input validation and output encoding practices within the application to prevent future XSS vulnerabilities. After upgrading, confirm the fix by attempting to inject a simple XSS payload into the company information settings and verifying that it is properly sanitized.
Update CI4MS to version 0.31.0.0 or higher. This version fixes the Stored Cross-Site Scripting (XSS) vulnerability in the company information configuration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34562 is a stored DOM XSS vulnerability in ci4-cms-erp/ci4ms, allowing attackers to inject malicious scripts through unsanitized company information settings.
You are affected if you are using ci4-cms-erp/ci4ms versions 0.28.6.0 or earlier.
Upgrade to version 0.31.0.0 or later. As a temporary workaround, implement a WAF rule to filter malicious input.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential for rapid exploitation.
Refer to the official ci4-cms-erp project repository or website for the latest security advisories and updates.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.