HarborGuard / CVE
Back to search
CRITICALCVE-2026-41201Published Modified CNA GitHub_M

CVE-2026-41201: CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS Version 2

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • ci4-cms-erp / ci4ms
    = 0.31.4.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References