CVE-2026-41201

MEDIUM6.8EPSS 0.06%

CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS

Published: 4/22/2026Modified: 5/8/2026

Description

An attacker can achieve Full Account Takeover and Privilege Escalation via Stored DOM XSS in the backup module's filename field, which is manipulated through an SQL file that tampers with the filename field to contain a hidden XSS payload.

Affected packages (1)

Packagist/ci4-cms-erp/ci4msfrom 0, < 0.31.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-41201
PATCHhttps://github.com/ci4-cms-erp/ci4ms
WEBhttps://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0
WEBhttps://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-qxpq-82f3-xj47