Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
0.31.0.0
CVE-2026-34569 describes a stored DOM Cross-Site Scripting (XSS) vulnerability within the ci4-cms-erp/ci4ms CMS. This vulnerability allows attackers to inject malicious JavaScript payloads into blog category titles, leading to potential session hijacking, defacement, or redirection. The vulnerability affects versions of ci4-cms-erp/ci4ms up to and including 0.28.6.0, and a fix is available in version 0.31.0.0.
The impact of this XSS vulnerability is significant due to its stored nature. Once an attacker successfully injects a malicious payload into a blog category title, it will be persistently stored on the server and served to any user visiting the affected blog category page, administrative interfaces, or blog post views. This allows for a wide range of malicious activities, including stealing user session cookies, redirecting users to phishing sites, defacing the website, or executing arbitrary JavaScript code within the user's browser context. The persistent nature of the vulnerability means that the attack can affect a large number of users over time, making it a high-priority security concern. The lack of proper output encoding exacerbates the risk, ensuring the payload is rendered without sanitization.
The vulnerability has been publicly disclosed and detailed in the CVE description. As of the time of writing, there is no indication of active exploitation campaigns targeting this specific vulnerability. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation and the CRITICAL severity rating. The vulnerability has been added to the CISA KEV catalog, indicating a potential risk to federal information systems. Further monitoring is advised.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34569 is to upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms, which includes the necessary fixes to properly sanitize user input. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious JavaScript payloads in blog category titles. Additionally, review and sanitize existing blog category titles for any potentially malicious content. While not a complete solution, restricting access to the blog management interface to authorized personnel can reduce the attack surface. After upgrading, confirm the fix by creating a new blog category with a simple JavaScript payload (e.g., <script>alert('XSS')</script>) and verifying that the payload is not executed when the category page is viewed.
Update CI4MS to version 0.31.0.0 or higher. This version fixes the Stored Cross-Site Scripting (XSS) vulnerability in blog categories. The update will prevent the execution of malicious JavaScript code injected into category titles.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34569 is a CRITICAL stored DOM XSS vulnerability in ci4-cms-erp/ci4ms, allowing attackers to inject malicious JavaScript via blog category titles.
Yes, if you are using ci4-cms-erp/ci4ms versions ≤0.28.6.0, you are vulnerable to this XSS attack.
Upgrade to version 0.31.0.0 or later of ci4-cms-erp/ci4ms. Implement WAF rules as a temporary workaround.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted.
Refer to the official ci4-cms-erp project repository and security advisories for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.