CVE-2026-34559
CI4MS · CI4MS
A stored cross-site scripting (XSS) vulnerability in CI4MS allows attackers to inject malicious scripts into blog tags, executing in public and administrative interfaces.
Executive summary
A stored XSS vulnerability in CI4MS blog tags allows for the execution of malicious scripts, threatening both public users and administrative sessions.
Vulnerability
The application fails to sanitize input for blog tag creation and editing. These payloads are stored in the database and subsequently rendered without encoding on both public-facing pages and internal administrative dashboards.
Business impact
This vulnerability allows attackers to compromise both public visitors and internal administrators. Potential impacts include credential theft, redirection to malicious sites, and unauthorized administrative actions, justifying the 9.1 CVSS score. Such widespread exposure threatens both brand reputation and the security of the underlying CMS infrastructure.
Remediation
Immediate Action: Upgrade to version 0.31.0.0 to apply necessary input sanitization and output encoding for blog tags.
Proactive Monitoring: Scan existing blog tags for suspicious content and review web access logs for unusual requests targeting the tagging functionality.
Compensating Controls: Implement a Content Security Policy (CSP) to restrict the execution of inline scripts and unauthorized external resources.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Because this vulnerability affects both public and administrative interfaces, it is highly critical and requires immediate attention. Administrators must update to the latest version and verify that all existing tags are free of malicious payloads to fully secure the application.