Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.3
0.31.2.0
CVE-2026-35035 describes a critical Stored DOM Blind Cross-Site Scripting (XSS) vulnerability affecting versions of ci4-cms-erp/ci4ms up to 0.31.1.0. This vulnerability allows attackers to achieve full account takeover and privilege escalation by injecting malicious scripts into the System Settings Company Information section of public-facing landing pages. A patch is available in version 0.31.2.0, and users are strongly advised to upgrade immediately.
The impact of CVE-2026-35035 is severe due to the potential for full account takeover and privilege escalation. An attacker can inject arbitrary JavaScript code into the System Settings Company Information section, which is accessible via public-facing landing pages. This allows them to steal user credentials, modify data, perform actions on behalf of the compromised user, and potentially gain control of the entire application. The blind nature of the XSS makes it harder to detect, as the payload execution might not be immediately visible to the user, increasing the risk of persistent compromise. This vulnerability could lead to significant data breaches, financial losses, and reputational damage.
CVE-2026-35035 was publicly disclosed on 2026-04-06. The CVSS score of 9.1 (CRITICAL) indicates a high probability of exploitation. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation inherent in XSS vulnerabilities suggests that a POC is likely to emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.10% (26% percentile)
CISA SSVC
The primary mitigation for CVE-2026-35035 is to upgrade to version 0.31.2.0 or later, which contains the fix. If upgrading immediately is not possible, consider implementing temporary workarounds. Input validation and sanitization on the System Settings Company Information section should be implemented to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security policies and procedures to ensure they address XSS vulnerabilities.
Actualice a la versión 0.31.2 o superior para corregir la vulnerabilidad. Esta versión implementa una sanitización adecuada de la entrada del usuario en la configuración del sistema, evitando el almacenamiento y la renderización insegura de datos en las páginas públicas.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35035 is a critical Stored DOM Blind XSS vulnerability in ci4-cms-erp/ci4ms versions up to 0.31.1.0, allowing attackers to achieve full account takeover.
You are affected if you are using ci4-cms-erp/ci4ms version 0.31.1.0 or earlier and have public-facing landing pages.
Upgrade to version 0.31.2.0 or later. Implement input validation and sanitization as a temporary workaround.
While no public exploits are currently known, the high CVSS score and ease of exploitation suggest active exploitation is possible.
Refer to the official ci4-cms-erp project repository or website for the latest security advisories and updates.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.