EXECUTIVE SUMMARY:
A critical security vulnerability was revealed CVE-2026-34989 in the CI4MS application’s profile and user management functionality, where inadequate input sanitization allowed attackers to inject malicious scripts into user profile fields. This stored DOM-based cross‑site scripting (XSS) flaw enables threat actors to execute arbitrary JavaScript in the context of other users’ browsers, including administrative users, which can lead to full account takeover, privilege escalation and complete application compromise without requiring prior authentication. The vulnerability stems from unsafe handling and rendering of user‑controlled input in multiple application views, and it impacts all affected versions; a fixed release mitigates the issue by applying proper sanitization and output encoding to prevent injection and execution of malicious code. The vulnerability has a CVSS score of 9.4.