Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
0.31.0.0
CVE-2026-34566 describes a stored DOM Cross-Site Scripting (XSS) vulnerability within the ci4-cms-erp/ci4ms CMS ERP system. This vulnerability allows attackers to inject malicious JavaScript payloads through unsanitized input fields in the Page Management functionality. Versions of ci4-cms-erp/ci4ms prior to 0.31.0.0 are affected, and a fix has been released.
The vulnerability lies in the lack of proper input sanitization when creating or editing pages within the CMS. An attacker can inject JavaScript code into page fields, which is then stored on the server. When these pages are subsequently viewed—either by administrators within the CMS or by public users—the stored JavaScript code is executed in the user's browser. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and the theft of sensitive user data. The stored nature of the XSS means the payload persists until the page is edited, making it a particularly dangerous threat.
CVE-2026-34566 was publicly disclosed on 2026-04-01. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation. No public proof-of-concept (POC) code has been publicly released at the time of writing, but the ease of exploitation inherent in stored XSS vulnerabilities suggests that a POC is likely to emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34566 is to upgrade to version 0.31.0.0 or later, which includes the necessary input sanitization fixes. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious JavaScript payloads in the page creation and editing input fields. Additionally, review all existing pages for any signs of injected scripts. Regularly scan the application for XSS vulnerabilities using automated tools.
Update CI4MS to version 0.31.0.0 or higher. This version fixes the Stored Cross-Site Scripting (XSS) vulnerabilities in the page management functionality.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34566 is a CRITICAL stored DOM XSS vulnerability in ci4-cms-erp/ci4ms versions up to 0.28.6.0, allowing attackers to inject malicious JavaScript through page creation/editing inputs.
Yes, if you are using ci4-cms-erp/ci4ms version 0.28.6.0 or earlier, you are vulnerable to this XSS attack.
Upgrade to version 0.31.0.0 or later to resolve the vulnerability. As a temporary workaround, implement a WAF rule to filter malicious JavaScript.
While no active exploitation has been confirmed, the high CVSS score and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the official ci4-cms-erp/ci4ms project repository or website for the latest security advisories and updates related to CVE-2026-34566.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.