CVE-2026-34564
CI4MS · CI4MS
CI4MS versions prior to 0.31.0.0 are susceptible to stored cross-site scripting (XSS) due to improper input sanitization in the Menu Management functionality.
Executive summary
A critical stored cross-site scripting vulnerability in CI4MS Menu Management allows for the injection of malicious payloads into navigation menus, impacting administrative and public users.
Vulnerability
This vulnerability occurs when page-related data is added to navigation menus without proper output encoding. An attacker can store malicious JavaScript payloads that execute upon rendering in administrative interfaces or public-facing menus.
Business impact
Exploitation of this flaw could result in the compromise of administrative sessions or the delivery of malicious content to end-users. The CVSS score of 9.1 reflects the high risk of widespread impact on the integrity and security of the CMS environment.
Remediation
Immediate Action: Update the CI4MS software to version 0.31.0.0 to resolve the underlying sanitization failure.
Proactive Monitoring: Review application performance and error logs for signs of script injection or unexpected behavior in the navigation menu generation process.
Compensating Controls: Utilize a Web Application Firewall (WAF) to filter out common JavaScript patterns from input fields until the software can be successfully updated.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
It is imperative that affected organizations update to CI4MS version 0.31.0.0 immediately. Failure to patch may allow attackers to leverage this vulnerability to gain unauthorized access or manipulate content delivered to legitimate users.