CVE-2026-34563

CI4MS · CI4MS

A stored blind cross-site scripting (XSS) vulnerability in CI4MS allows attackers to inject malicious JavaScript via backup filenames, which executes when viewed in backup management.

Executive summary

A stored Blind XSS vulnerability in CI4MS allows unauthorized script execution, potentially compromising administrative sessions and user data.

Vulnerability

The application fails to sanitize input within backup filenames during the upload process. An attacker can inject malicious payloads that are stored server-side and executed when an authenticated administrator accesses the backup management interface.

Business impact

Successful exploitation allows for the execution of arbitrary JavaScript in the context of an administrator’s browser session. This can lead to session hijacking, unauthorized configuration changes, or the exfiltration of sensitive application data. With a CVSS score of 9.1, this vulnerability poses a critical risk to the integrity and confidentiality of the CMS.

Remediation

Immediate Action: Upgrade the CI4MS installation to version 0.31.0.0 or later to implement required input sanitization and output encoding.

Proactive Monitoring: Audit application logs for suspicious characters or script tags within backup metadata fields.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block common XSS patterns in file upload requests.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical nature of this stored XSS flaw, immediate patching is required to prevent potential compromise of administrative accounts. Organizations should prioritize upgrading to version 0.31.0.0 and review existing backups for any signs of malicious injection.