Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
0.31.0.0
CVE-2026-34568 describes a stored DOM Cross-Site Scripting (XSS) vulnerability within the ci4-cms-erp/ci4ms application. This vulnerability allows attackers to inject malicious JavaScript payloads into blog post content, which are then stored and subsequently rendered without proper sanitization. The vulnerability impacts versions of ci4ms up to and including 0.28.6.0, and a fix is available in version 0.31.0.0.
An attacker can leverage this XSS vulnerability to execute arbitrary JavaScript code in the context of a victim's browser. This could lead to session hijacking, defacement of the website, redirection to malicious sites, or theft of sensitive information like cookies and credentials. The stored nature of the vulnerability means that a single successful injection can affect multiple users who view the compromised blog post. The impact is particularly severe as the payload is persistent, remaining on the server until manually removed, potentially affecting a large number of users over time. This is similar in impact to other stored XSS vulnerabilities where attackers can craft highly targeted attacks.
CVE-2026-34568 was publicly disclosed on 2026-04-01. The vulnerability is not currently listed on CISA KEV, and there is no EPSS score available. No public proof-of-concept (PoC) code has been released at the time of writing, but the relatively straightforward nature of XSS vulnerabilities suggests that a PoC could emerge quickly. Active exploitation is not currently confirmed.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34568 is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious JavaScript payloads in blog post content. Specifically, look for patterns indicative of XSS attempts, such as <script> tags, event handlers (e.g., onload, onclick), and JavaScript functions. Carefully review and sanitize all user-supplied input before rendering it in the application. Regularly scan the application for XSS vulnerabilities using automated tools.
Actualice CI4MS a la versión 0.31.0.0 o superior. Esta versión contiene una corrección para la vulnerabilidad XSS almacenada que permite la ejecución de código JavaScript malicioso en el contexto de la aplicación.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34568 is a CRITICAL stored XSS vulnerability in ci4-cms-erp/ci4ms versions up to 0.28.6.0. It allows attackers to inject malicious JavaScript into blog posts, affecting all users who view them.
Yes, if you are using ci4-cms-erp/ci4ms version 0.28.6.0 or earlier, you are vulnerable to this XSS attack. Carefully assess your deployment.
Upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. As a temporary workaround, implement a WAF rule to filter malicious JavaScript.
Active exploitation is not currently confirmed, but the vulnerability's nature suggests it could be exploited quickly.
Refer to the official ci4-cms-erp project's release notes and security advisories for details on this vulnerability and the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.