Home / Vulnerability Intelligence / CVE-2026-34558

CVE-2026-34558 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 1, 2026

CI4MS - Stored XSS

Published: March 30, 2026Updated: April 1, 2026Remote Exploitable

Overview

CI4MS < 0.31.0.0 contains a stored XSS caused by improper sanitization of user input in Methods Management, letting attackers inject JavaScript payloads that execute in admin interfaces, exploit requires authenticated access.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 4.6%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary JavaScript in admin interfaces, potentially leading to session hijacking or administrative control.

Mitigation

Update to version 0.31.0.0 or later.

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v77r-xg3p-75g7

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 31, 2026

⚠️ CRITICAL: CVE-2026-34558 in ci4ms (<0.31.0.0) — Stored DOM XSS in Methods Management lets attackers inject persistent JS into admin panels. Patch to 0.31.0.0+ ASAP! Details: https://radar.offseq.com/threat/cve-2026-34558-cwe-79-improper-neutralization-of-i-198231a4 #OffSeq #XSS #Vuln #AppSec

View original post

Related Resources

Details

CVE ID: CVE-2026-34558
Severity: Critical
CVSS Score: 9.1
Type: stored_xss
Status: unconfirmed
EPSS: 4.6%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

EPSS Score

4.6%Probability of exploitation in the next 30 days