Goal Reached Thanks to every supporter β€” we hit 100%!

Goal: 1000 CNY Β· Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-34567 β€” AI Deep Analysis Summary

CVSS 9.1 Β· Critical

Q1What is this vulnerability? (Essence + Consequences)

🚨 **Essence**: Stored XSS in CI4MS. πŸ“‰ **Consequences**: Malicious scripts persist in blog categories. Victims execute code unknowingly. Data theft & session hijacking risk.…
Read full answer (login)

Q2Root Cause? (CWE/Flaw)

πŸ›‘οΈ **CWE**: CWE-79 (Improper Neutralization of Input). πŸ” **Flaw**: Unsanitized user input in category sections. ❌ **Root Cause**: Failing to clean data when creating/editing posts.…
Read full answer (login)

Q3Who is affected? (Versions/Components)

🏒 **Vendor**: ci4-cms-erp. πŸ“¦ **Product**: CI4MS. πŸ“… **Affected**: Versions **< 0.31.0.0**. βœ… **Safe**: Version 0.31.0.0 and above.

Q4What can hackers do? (Privileges/Data)

πŸ•΅οΈ **Attacker Action**: Inject malicious JS payloads. 🎯 **Target**: Blog category fields. πŸ’Ύ **Data Risk**: Steal cookies, admin tokens, or user data. πŸ”„ **Scope**: Stored type = persistent threat to all viewers.

Q5Is exploitation threshold high? (Auth/Config)

πŸ” **Auth Required**: Yes (PR:L). 🚢 **Complexity**: Low (AC:L). πŸ–±οΈ **User Interaction**: None (UI:N). βš–οΈ **Threshold**: Moderate. Needs authenticated access to create/edit posts. Not remote unauthenticated.

Q6Is there a public Exp? (PoC/Wild Exploitation)

🚫 **Public Exp**: No PoCs listed in data. 🌐 **Wild Exploit**: Unconfirmed. ⚠️ **Risk**: Low immediate threat, but high potential if discovered. Monitor GitHub advisories.

Q7How to self-check? (Features/Scanning)

πŸ” **Check**: Inspect blog category inputs. πŸ§ͺ **Test**: Try injecting `<script>alert(1)</script>`. πŸ‘€ **Scan**: Look for stored XSS in category fields. πŸ“ **Verify**: Check if script executes on page load.

Q8Is it fixed officially? (Patch/Mitigation)

βœ… **Fixed**: Yes. πŸ“₯ **Patch**: Upgrade to **v0.31.0.0**. πŸ”— **Source**: GitHub Releases & Security Advisories. πŸ›‘οΈ **Action**: Update immediately to mitigate.

Q9What if no patch? (Workaround)

🚧 **Workaround**: Sanitize inputs manually. 🚫 **Restrict**: Limit editing privileges. 🧹 **Clean**: Audit existing category content. πŸ›‘ **Disable**: Temporarily disable category editing if possible.

Q10Is it urgent? (Priority Suggestion)

⚑ **Priority**: High. πŸ“ˆ **CVSS**: 7.8 (High). 🚨 **Urgency**: Patch ASAP. πŸ”’ **Reason**: Stored XSS is dangerous. Low barrier for authenticated attackers. Protect user data integrity.

Continue exploring

Vulnerability detail Full AI analysis (login) ci4-cms-erp CWE-79