CVE-2026-34567PATCHED

ci4-cms-erp · ci4ms

CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Description

A vulnerability marked as problematic has been reported in ci4-cms-erp ci4ms 0.28.5.0. This affects an unknown function of the component Categories Section. Performing a manipulation results in cross site scripting. This vulnerability was named CVE-2026-34567. The attack may be initiated remotely.

Affected Products

Vendor	Product	Versions
ci4-cms-erp	ci4ms	composer/ci4-cms-erp/ci4ms: <= 0.28.6.0, 0.28.5.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r33w-c82v-x5v7(x_refsource_CONFIRM)
https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-34567 | ci4-cms-erp ci4ms 0.28.5.0 Categories Section cross site scripting (GHSA-r33w-c82v-x5v7)

→ No new info (linked only)

CVSS 3.19.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

ci4-cms-erp/ci4ms@0.31.0.0

CWECWE-79

PublishedApr 1, 2026

Last enriched4h agov2

Trending Score30

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34561EXP

CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Trending: 46

CRITICALCVE-2026-34565

CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Trending: 30

CRITICALCVE-2026-34566

CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Trending: 30

CRITICALCVE-2026-34568

CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Trending: 30

CRITICALCVE-2026-34560

CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Trending: 30

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 1, 2026

Patch Available

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026

Updated: affectedVersions, description

Apr 2, 2026

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated affected versions to include 0.28.5.0, marked exploit availability as false, and provided a new description with details about CVE-2026-34567.

affectedVersionsdescription

via VulDB

v17h ago

Initial creation