Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
0.31.0.0
CVE-2026-34565 describes a stored DOM Cross-Site Scripting (XSS) vulnerability within the ci4-cms-erp/ci4ms CMS ERP system. This vulnerability allows attackers to inject malicious scripts that are persistently stored and rendered, potentially compromising administrative interfaces and public-facing navigation menus. The vulnerability affects versions of ci4-cms-erp/ci4ms up to and including 0.28.6.0, with a fix available in version 0.31.0.0.
The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code that will be executed in the context of the user's browser when they view a page containing the malicious payload. This could lead to session hijacking, credential theft, defacement of the website, or redirection to malicious sites. Because the payload is stored persistently, it can affect multiple users and remain active until the vulnerability is patched. The attack surface extends to both administrative dashboards, potentially granting attackers control over the CMS, and public-facing navigation menus, impacting all website visitors. This vulnerability shares similarities with other XSS attacks where user-supplied data is not properly sanitized before being rendered in a web page.
CVE-2026-34565 was publicly disclosed on 2026-04-01. The vulnerability's criticality (CVSS 9.1) indicates a high likelihood of exploitation. As of this writing, there are no known public proof-of-concept exploits, but the ease of exploitation inherent in XSS vulnerabilities suggests that one may emerge. It is not currently listed on the CISA KEV catalog, but its severity warrants monitoring. Active campaigns targeting similar CMS platforms are common, increasing the risk of exploitation.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34565 is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. If an immediate upgrade is not possible, consider implementing temporary workarounds. Input validation and output encoding should be implemented to sanitize user-supplied data before it is stored and rendered. Web Application Firewalls (WAFs) can be configured to detect and block XSS attempts targeting the menu management functionality. Review and update any existing WAF rules to specifically address stored XSS vulnerabilities. Thoroughly test the upgrade process in a staging environment before deploying to production to avoid breaking changes. After upgrading, confirm the vulnerability is resolved by attempting to add a post to a menu with a simple XSS payload (e.g., <script>alert(1)</script>) and verifying that the script is not executed.
Update CI4MS to version 0.31.0.0 or higher. This version fixes the stored XSS vulnerability in menu management.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34565 is a CRITICAL stored DOM XSS vulnerability in ci4-cms-erp/ci4ms, allowing attackers to inject malicious scripts via posts added to navigation menus.
You are affected if you are using ci4-cms-erp/ci4ms versions ≤0.28.6.0 and have not upgraded to 0.31.0.0 or applied appropriate mitigations.
Upgrade to version 0.31.0.0 or later. Implement input validation and output encoding as temporary workarounds.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation.
Refer to the official ci4-cms-erp/ci4ms project repository or website for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.