Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
0.31.0.0
CVE-2026-34563 describes a critical cross-site scripting (XSS) vulnerability affecting CI4MS, a CodeIgniter 4-based CMS. The application fails to properly sanitize user input during backup uploads, allowing attackers to inject malicious JavaScript code via SQL injection within backup files. This stored payload is then rendered unsafely in backup management views, leading to persistent XSS. This affects versions of CI4MS less than or equal to 0.31.0.0. The vulnerability is fixed in version 0.31.0.0.
CVE-2026-34563 in ci4ms introduces a stored Blind XSS vulnerability via backup management. An attacker can inject malicious JavaScript payload into the backup filename through insufficient sanitization of user-controlled input. The xss.sql file is leveraged to insert the payload, and while the XSS is blind (not immediately executed in the user's browser), it allows the attacker to track user interactions through server-side requests, potentially extracting sensitive information or performing actions on behalf of the user. The CVSS severity is 9.1, indicating a critical risk. Versions prior to 0.31.0.0 are affected. This type of attack can be difficult to detect as there's no visible JavaScript execution in the browser.
An attacker could exploit this vulnerability by uploading a malicious backup file (e.g., xss.sql) with a carefully crafted filename containing JavaScript code. This code will be stored in the database, and when the backup filename is processed, the JavaScript code will execute on the server, allowing the attacker to track user interactions. Exploitation requires access to the application's backup upload functionality, which might be available through a web interface or API. The blind nature of the XSS makes detection more challenging, as there is no direct visual indication of code execution.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34563 is to upgrade ci4ms to version 0.31.0.0 or later. This version includes a fix that properly sanitizes the backup filename, preventing malicious code injection. Additionally, implementing Content Security Policy (CSP) is recommended to mitigate the impact of potential XSS attacks, even after the application is updated. Regularly auditing the source code for injection vulnerabilities and conducting periodic penetration testing are recommended best practices to maintain application security.
Actualice CI4MS a la versión 0.31.0.0 o superior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) almacenada en la gestión de copias de seguridad, evitando la inyección de código JavaScript malicioso a través de nombres de archivos de copia de seguridad.
Vulnerability analysis and critical alerts directly to your inbox.
Blind XSS doesn't directly display the malicious code in the user's browser. Instead, the code executes on the server and is used to track user actions through server-side requests.
Version 0.31.0.0 includes a specific fix for this vulnerability, eliminating the possibility of malicious code injection into backup filenames.
CSP is a set of rules that the browser uses to determine which resources a web page can load, helping to prevent XSS attacks.
If you are using a version prior to 0.31.0.0, you are likely vulnerable. Conducting penetration testing can help confirm the vulnerability.
Isolate the affected system, investigate the security breach, upgrade to the latest version of ci4ms, and consider performing a comprehensive security audit.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.