CVE-2026-34561: CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

April 1, 2026 (updated April 27, 2026)

The application fails to properly sanitize user-controlled input within System Settings – Social Media Management. Multiple configuration fields, including Social Media and Social Media Link, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding.

Unlike typical stored XSS that executes on other pages (such as public-facing landing pages), this vulnerability executes directly on the same settings page. The injected payload breaks out of the input attribute context and is immediately interpreted by the browser, resulting in same-page DOM-based XSS.

This represents a different functionality and a separate vulnerability class from public-facing landing page injection.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-34561 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →