Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.1
0.31.0.0
A critical Stored Cross-Site Scripting (XSS) vulnerability has been identified in ci4-cms-erp/ci4ms versions up to 0.28.6.0. This flaw allows attackers to inject malicious JavaScript code into the backend user management interface, which is then executed when other administrators access the affected page. The vulnerability was published on 2026-04-01 and a fix is available in version 0.31.0.0.
The impact of this XSS vulnerability is severe. An attacker can inject arbitrary JavaScript code that executes within the context of an administrator's session. This allows for complete account takeover, including the ability to modify user data, install malicious code, and potentially compromise the entire system. The persistent nature of the XSS means that the injected code will remain active until removed, affecting all users who access the vulnerable page. This is similar to other XSS vulnerabilities that have led to widespread data breaches and system compromises.
This vulnerability is considered critical due to its ease of exploitation and potential impact. Public proof-of-concept code may emerge, increasing the risk of widespread exploitation. As of the publication date (2026-04-01), there are no reports of active exploitation campaigns, but the vulnerability's severity warrants immediate attention. The CVE has been published, indicating public disclosure.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 0.31.0.0 or later, which contains the fix. If upgrading immediately is not possible, implement temporary workarounds. These include strict input validation on all user-supplied data within the backend user management functionality, ensuring all input is properly sanitized before being rendered. Implement output encoding to prevent the browser from interpreting user-supplied data as executable code. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly review and update security configurations.
Update CI4MS to version 0.31.0.0 or higher. This version fixes the stored XSS vulnerability in the backend user management.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34571 is a critical Stored XSS vulnerability in ci4-cms-erp/ci4ms versions up to 0.28.6.0, allowing attackers to inject malicious JavaScript code into the backend user management interface.
You are affected if you are using ci4-cms-erp/ci4ms version 0.28.6.0 or earlier. Upgrade to 0.31.0.0 to mitigate the risk.
Upgrade to version 0.31.0.0. If immediate upgrade is not possible, implement strict input validation and output encoding as temporary mitigations.
As of the publication date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate action.
Refer to the official ci4-cms-erp project's release notes and security advisories for details on the fix and further information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.