CI4 CMS ERP CVE-2026-41201

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-22 https://github.com/ci4-cms-erp/ci4ms

GHSA-qxpq-82f3-xj47

XSS Privilege Escalation

6.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 23, 2026 - 07:07 vuln.today

DescriptionNVD

Summary:

An attacker can acheive Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via an SQLl file that tampers with the file name field to contain hidden XSS payload.

AnalysisAI

Stored DOM XSS in CI4 CMS ERP backup module filename field allows authenticated high-privilege attackers to achieve full account takeover and privilege escalation via malicious SQL files containing hidden XSS payloads in the filename. User interaction is required for exploitation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41201 vulnerability details – vuln.today

Back

CI4 CMS ERP CVE-2026-41201

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Summary:

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code