CVE-2026-34560: CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

April 1, 2026 (updated April 6, 2026)

The application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding.

This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page.

For example, accessing /backend/backup/restore/xss-payload-here causes an error that gets logged by the application. If the injected portion contains an XSS payload, it is stored inside the logs without sanitization and later rendered unsafely inside the logs management interface.

When an administrator views the logs page, the stored payload executes automatically in the administrative browser context, leading to stored blind cross-site scripting (Blind XSS).

References

Code Behaviors & Features

Detect and mitigate CVE-2026-34560 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →