CVE-2026-34562: CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

(updated )

The application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding.

Affected fields include, but are not limited to:

  1. Company Name
  2. Slogan
  3. Company Phone
  4. Company Mobile
  5. Company Email
  6. Google Maps iframe link
  7. Company Logo and other media-related fields

Unlike the public-facing landing page injection vulnerability, this issue executes directly on the same settings page. The injected payload breaks out of the HTML attribute context and is immediately interpreted by the browser when rendered, resulting in same-page DOM-based stored XSS.

This represents different functionality and a separate vulnerability from public-facing rendering.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-34562 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →