CVE-2026-34566
CI4MS · CI4MS
CI4MS versions prior to 0.31.0.0 are vulnerable to stored cross-site scripting (XSS) via unsanitized input in the Page Management functionality.
Executive summary
A stored cross-site scripting vulnerability in the CI4MS Page Management module allows attackers to execute arbitrary JavaScript in administrative and public-facing contexts.
Vulnerability
This is a stored cross-site scripting (XSS) vulnerability where the Page Management functionality fails to sanitize user-controlled input. An authenticated attacker can inject malicious JavaScript payloads that are executed when the content is rendered in administrative or public views.
Business impact
Successful exploitation permits an attacker to hijack user sessions, perform unauthorized administrative actions, or deface public-facing pages. Given the CVSS score of 9.1, this vulnerability poses a severe risk to organizational integrity and data confidentiality, as it can lead to full compromise of user accounts within the CMS.
Remediation
Immediate Action: Upgrade the CI4MS installation to version 0.31.0.0 or later to ensure proper output encoding is implemented.
Proactive Monitoring: Review web server and application logs for suspicious input patterns, particularly those containing script tags or encoded payloads, within page management requests.
Compensating Controls: Deploy a Web Application Firewall (WAF) with strict XSS filtering rules to inspect and block malicious payloads directed at the CMS input fields.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
The severity of this vulnerability necessitates an immediate update to version 0.31.0.0. Organizations should prioritize patching to prevent potential session hijacking and unauthorized administrative access stemming from this high-impact XSS flaw.