Platform
php
Component
ci4ms
Fixed in
31.0.1
31.0.0.0
CVE-2026-34989 describes a stored DOM Cross-Site Scripting (XSS) vulnerability in CI4MS. This vulnerability allows attackers to inject malicious JavaScript payloads into a user's profile name, which are then stored and rendered without proper sanitization. The vulnerability affects CI4MS versions up to 31.0.0. A fix is available in version 31.0.0.
An attacker can exploit this vulnerability by crafting a malicious JavaScript payload and injecting it into their profile name during an update. This payload is then stored on the server and subsequently rendered in various application views without proper output encoding. This allows the attacker to execute arbitrary JavaScript code in the context of other users' browsers who view the profile. The impact can range from session hijacking and credential theft to defacement of the application and redirection to malicious websites. This stored XSS is particularly dangerous as it persists even after the initial attack and can affect a wide range of users.
CVE-2026-34989 was published on 2026-04-06. No public proof-of-concept (POC) code has been released as of this date. The CVSS score of 9.5 (CRITICAL) indicates a high probability of exploitation if the vulnerability is exposed. It is recommended to prioritize remediation due to the severity and potential impact.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
The primary mitigation for CVE-2026-34989 is to upgrade to CI4MS version 31.0.0 or later, which includes the necessary fixes. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data, particularly when rendering profile information. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update CI4MS configuration to ensure best practices are followed.
Update to version 31.0.0 or higher to mitigate the vulnerability. This version includes proper sanitization of user input when updating the profile, preventing the injection of malicious JavaScript code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34989 is a critical stored XSS vulnerability in CI4MS versions 31.0.0 and earlier, allowing attackers to inject malicious JavaScript via profile name updates.
Yes, if you are using CI4MS versions 31.0.0 or earlier, you are vulnerable to this XSS attack. Upgrade to 31.0.0 immediately.
Upgrade CI4MS to version 31.0.0 or later. Implement strict input validation and output encoding as a temporary workaround.
While no active exploitation has been publicly confirmed, the high CVSS score suggests a high probability of exploitation if the vulnerability remains unpatched.
Refer to the official CI4MS security advisory page for details and updates regarding CVE-2026-34989: [Replace with actual CI4MS advisory URL]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.