CVE-2026-34562

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0

Description CI4MS fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields, including Company Name, Slogan, Company Phone, Company Mobile, Company Email, Google Maps iframe link, and Company Logo, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This results in stored DOM-based Cross-Site Scripting (XSS) with immediate same-page execution. The vulnerability allows an attacker to inject a malicious JavaScript payload into these fields, which breaks out of the HTML attribute context and executes in the browser of the authenticated user managing settings. This can lead to administrative privilege escalation and full platform compromise. The affected API endpoint is /backend/settings/ (Company Information). The vulnerable parameters are the input fields within the Company Information section.

Recommendations Versions prior to 0.31.0.0: Upgrade to version 0.31.0.0 or later to address the vulnerability. Avoid unsafe DOM manipulation methods such as .html() and innerHTML. Apply HTML entity encoding to all user-controlled data before rendering it in the browser. Implement input sanitization to ensure all user-supplied input is properly sanitized before processing or output.