CVE-2026-34568

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0

Description The application does not properly sanitize user-controlled input when creating or editing blog posts. An attacker can inject a malicious JavaScript payload into blog post content, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). The affected functionality includes blog post creation, editing, storage, and retrieval logic. Attackers can exploit this by inserting an XSS payload into blog post content, which then executes automatically when the post is viewed. Affected API endpoints include /backend/blogs/create, /backend/blogs/, and /blog/{id}. The vulnerable parameter is the blog post content itself.

Recommendations Apply output encoding to all user-controlled data before rendering it in the browser. Implement input sanitization to properly sanitize all user-supplied input before processing or output. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the HttpOnly flag, the SameSite attribute, and the Secure flag.