प्लेटफ़ॉर्म
php
घटक
ci4-cms-erp/ci4ms
में ठीक किया गया
0.31.1
0.31.0.0
CVE-2026-34566 describes a stored DOM Cross-Site Scripting (XSS) vulnerability within the ci4-cms-erp/ci4ms CMS ERP system. This vulnerability allows attackers to inject malicious JavaScript payloads through unsanitized input fields in the Page Management functionality. Versions of ci4-cms-erp/ci4ms prior to 0.31.0.0 are affected, and a fix has been released.
The vulnerability lies in the lack of proper input sanitization when creating or editing pages within the CMS. An attacker can inject JavaScript code into page fields, which is then stored on the server. When these pages are subsequently viewed—either by administrators within the CMS or by public users—the stored JavaScript code is executed in the user's browser. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and the theft of sensitive user data. The stored nature of the XSS means the payload persists until the page is edited, making it a particularly dangerous threat.
CVE-2026-34566 was publicly disclosed on 2026-04-01. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation. No public proof-of-concept (POC) code has been publicly released at the time of writing, but the ease of exploitation inherent in stored XSS vulnerabilities suggests that a POC is likely to emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Organizations using ci4-cms-erp/ci4ms for their ERP and CMS needs, particularly those with publicly accessible pages or administrative interfaces, are at risk. Shared hosting environments where multiple users share the same CMS instance are especially vulnerable, as an attacker could potentially compromise the entire hosting environment through this vulnerability.
• php: Examine page creation/editing forms for suspicious JavaScript code. Use grep to search for <script> tags or eval() functions in the database where page content is stored.
grep -r '<script' /path/to/database/backup• generic web: Monitor access logs for unusual requests to page creation/editing endpoints with long or encoded parameters. Look for POST requests containing suspicious characters.
curl -s -X POST -d "page_title=<script>alert('XSS')</script>" https://example.com/admin/page/create | grep -i scriptdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.04% (13% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-34566 is to upgrade to version 0.31.0.0 or later, which includes the necessary input sanitization fixes. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious JavaScript payloads in the page creation and editing input fields. Additionally, review all existing pages for any signs of injected scripts. Regularly scan the application for XSS vulnerabilities using automated tools.
CI4MS को संस्करण 0.31.0.0 या उच्चतर में अपडेट करें। यह संस्करण पृष्ठ प्रबंधन कार्यक्षमता में संग्रहीत क्रॉस-साइट स्क्रिप्टिंग (XSS) भेद्यताओं को ठीक करता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-34566 is a CRITICAL stored DOM XSS vulnerability in ci4-cms-erp/ci4ms versions up to 0.28.6.0, allowing attackers to inject malicious JavaScript through page creation/editing inputs.
Yes, if you are using ci4-cms-erp/ci4ms version 0.28.6.0 or earlier, you are vulnerable to this XSS attack.
Upgrade to version 0.31.0.0 or later to resolve the vulnerability. As a temporary workaround, implement a WAF rule to filter malicious JavaScript.
While no active exploitation has been confirmed, the high CVSS score and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the official ci4-cms-erp/ci4ms project repository or website for the latest security advisories and updates related to CVE-2026-34566.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।