CVE-2026-34569

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0

Description The application does not properly sanitize user-controlled input when creating or editing blog categories. An attacker can inject a malicious JavaScript payload into the category title field, which is then stored server-side. This stored payload is later rendered unsafely across public-facing blog category pages, administrative interfaces, and blog post views without proper output encoding, leading to stored cross-site scripting (XSS). The affected functionality includes blog category creation and editing, as well as the storage and retrieval logic for blog categories. The attack involves creating or editing a blog category title with an XSS payload, which then executes automatically when the category title is rendered. The affected API endpoints are /backend/blogs/categories/ and /blog/{id}.

Recommendations Update to version 0.31.0.0 or later to address this issue. Avoid unsafe DOM manipulation methods such as .html() and innerHTML. Implement HTML entity encoding on all user-controlled data before rendering it in the browser. Implement input sanitization to ensure all user-supplied input is properly sanitized before processing or output.