CVE-2026-34565
CI4MS · CI4MS
CI4MS versions prior to 0.31.0.0 contain a stored cross-site scripting (XSS) vulnerability within the Menu Management functionality when adding Posts.
Executive summary
An authenticated stored cross-site scripting vulnerability in the CI4MS Menu Management feature exposes administrative and public users to malicious JavaScript execution.
Vulnerability
The application fails to sanitize post-related data when adding content to navigation menus. This allows an attacker to store malicious JavaScript payloads that execute unsafely within both administrative dashboards and public-facing navigation menus.
Business impact
The ability to inject scripts into navigation menus threatens the security of both backend administrators and frontend users. With a CVSS score of 9.1, this vulnerability allows for severe impact, including unauthorized data access and potential escalation of privileges via session theft.
Remediation
Immediate Action: Apply the vendor-provided patch by upgrading the CI4MS application to version 0.31.0.0.
Proactive Monitoring: Monitor administrative audit logs for unusual changes to navigation menus or post associations that could indicate an injection attempt.
Compensating Controls: Implement a Content Security Policy (CSP) to restrict the execution of inline scripts and unauthorized external resources as a temporary mitigation.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
Given the critical nature of this XSS vulnerability, immediate remediation is required. Administrators should verify that all affected CI4MS instances are updated to version 0.31.0.0 to eliminate the injection vector and secure the navigation menu subsystem.