Skip to main content

CI4MS CVE-2026-41201

| EUVDEUVD-2026-28253 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-04-22 https://github.com/ci4-cms-erp/ci4ms GHSA-qxpq-82f3-xj47
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Source Code Evidence Fetched
May 07, 2026 - 04:45 vuln.today
Analysis Updated
May 07, 2026 - 04:45 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 07, 2026 - 04:35 vuln.today
cvss_changed
Severity Changed
May 07, 2026 - 04:35 NVD
MEDIUM CRITICAL
CVSS changed
May 07, 2026 - 04:35 NVD
6.8 (MEDIUM) 9.1 (CRITICAL)
Analysis Generated
Apr 23, 2026 - 07:07 vuln.today
Patch released
Apr 23, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 22, 2026 - 17:31 vuln.today
CVE Published
Apr 22, 2026 - 17:27 nvd
MEDIUM 6.8

DescriptionGitHub Advisory

Summary:

An attacker can acheive Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via an SQLl file that tampers with the file name field to contain hidden XSS payload.

AnalysisAI

Remote code execution and full account takeover in CI4MS (CodeIgniter 4 CMS/ERP) allows authenticated high-privilege users to escalate to superadmin and compromise all accounts via stored DOM XSS in backup module filename fields. Attackers craft malicious SQL backup files containing hidden JavaScript payloads that execute when administrators view backup listings. Vendor-released patch available in version 0.31.5.0, addressing XSS via output escaping in DataTables rendering. No CISA KEV listing or public POC identified at time of analysis, but CVSS 9.1 Critical reflects scope change and multi-stage exploitation potential.

Technical ContextAI

CI4MS is a CodeIgniter 4-based content management and ERP system written in PHP. The vulnerability stems from CWE-79 (Cross-Site Scripting) in the backup management module's filename handling. When backup files (SQL dumps) are uploaded or restored, the application stores filename metadata in the database without sanitization. The backup listing interface uses DataTables to dynamically render filenames from database records without proper output encoding. An attacker with high privileges (PR:H) can upload a crafted SQL file containing embedded XSS payloads in the filename field. When other administrators access the backup management interface, the malicious JavaScript executes in their browser context (Stored DOM XSS), enabling session hijacking and further privilege escalation. The CPE identifier pkg:composer/ci4-cms-erp_ci4ms confirms this affects the Composer-distributed PHP package. The CVSS scope change (S:C) indicates the vulnerability breaks trust boundaries, allowing attackers to pivot from backup module access to full administrative control.

RemediationAI

Upgrade immediately to CI4MS version 0.31.5.0 or later, available at https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0. The patch applies output escaping via esc() function to DataTables filename rendering in the Backup module, preventing stored DOM XSS execution. The release also addresses related vulnerabilities including Zip Slip RCE in backup restore and IDOR privilege escalation in UserController. If immediate upgrade is not feasible, implement compensating controls: restrict backup module access to only essential superadmin accounts (reduces attack surface by limiting who can upload malicious files), enable Content Security Policy headers to block inline script execution (add 'unsafe-inline' restrictions to script-src directive), and audit existing backup files for suspicious filenames containing JavaScript syntax (look for patterns like <script>, onerror=, or encoded payloads). Note that access restrictions only reduce likelihood, not vulnerability - they do not prevent exploitation if a trusted high-privilege account is already compromised. Manual input sanitization via output encoding is complex and error-prone compared to vendor patch. Vendor release notes at https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0 credit security researchers @offset, @bugmithlegend, @peeefour, and @DexterHK for coordinated disclosure.

Share

CVE-2026-41201 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy