The vulnerability originates from user input in the blog tag name field that is neither validated nor sanitized. Malicious JavaScript can be injected and stored on the server, then later rendered unsafely on public tag pages and in administrative views. Because the code executes in the victim’s browser context, an attacker can harvest session cookies, perform credential phishing, or redirect the user to malicious sites. This flaw is a classic stored XSS vulnerability (CWE‑79).

The flaw is present in any CI4MS installation supplied by ci4‑cms‑erp that is running a version earlier than 0.31.0.0. The 0.31.0.0 release includes the patch that sanitizes tag input and correctly encodes rendered output. Existing deployments that have not applied this update remain vulnerable.

The base CVSS score of 9.1 indicates critical severity. The EPSS probability is below 1 % and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, suggesting that widespread exploitation has not been observed. The likely attack vector is a legitimate web interface that accepts tag names. Based on the description, it is inferred that an attacker must have permission to create or edit blog tags. Once a malicious tag is accessed by a user, the injected script runs in that user’s browser environment, potentially enabling credential theft, session hijacking, or other client‑side attacks. No server‑side code execution or direct bypass of authentication controls is documented.