Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
0.31.0.0
CVE-2026-34567 is a stored DOM Cross-Site Scripting (XSS) vulnerability affecting versions of ci4-cms-erp/ci4ms up to 0.28.6.0. This vulnerability allows attackers to inject malicious JavaScript payloads into blog post categories, potentially leading to full account takeover and privilege escalation. A fix is available in version 0.31.0.0.
The vulnerability lies in the application's failure to properly sanitize user-controlled input when creating or editing blog post categories. An attacker can inject a malicious JavaScript payload into the category content field. Because this content is stored server-side, it will be executed whenever the category is viewed by other users. This stored XSS allows for a wide range of malicious actions, including stealing session cookies, redirecting users to phishing sites, and defacing the website. The potential for full account takeover makes this a particularly severe risk, as an attacker could gain complete control over user accounts and potentially the entire application.
CVE-2026-34567 was publicly disclosed on 2026-04-01. The vulnerability's ease of exploitation and potential for account takeover suggest a medium probability of exploitation. Currently, there are no known public exploits or active campaigns targeting this vulnerability, but the lack of a fix in older versions leaves many systems exposed. It is recommended to prioritize patching to prevent potential future exploitation.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 0.31.0.0 or later, which includes the necessary sanitization fixes. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious JavaScript payloads in the blog post category fields. Additionally, carefully review and sanitize all user-supplied input within the application. Monitor application logs for unusual activity, specifically looking for attempts to inject JavaScript code into blog post categories. After upgrade, confirm by attempting to create a blog post category with a simple JavaScript payload (e.g., <script>alert('XSS')</script>) and verifying that the payload is properly sanitized and does not execute.
Update CI4MS to version 0.31.0.0 or higher. This version fixes the Stored Cross-Site Scripting (XSS) vulnerability in the blog post categories section. The update will prevent attackers from injecting malicious JavaScript code into category content.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34567 is a stored DOM XSS vulnerability in ci4-cms-erp/ci4ms versions up to 0.28.6.0, allowing attackers to inject malicious JavaScript into blog post categories.
You are affected if you are using ci4-cms-erp/ci4ms version 0.28.6.0 or earlier. Upgrade to 0.31.0.0 to resolve the issue.
Upgrade to version 0.31.0.0 or later. As a temporary workaround, implement a WAF rule to block suspicious JavaScript payloads.
There are currently no known active exploits, but the vulnerability's severity and ease of exploitation suggest a potential risk.
Refer to the official ci4-cms-erp release notes and security advisories on their official website or GitHub repository.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.