CVE-2026-41201
CriticalSummary
In version 0.31.4.0, CI4MS, based on CodeIgniter 4, has a vulnerability that allows full account takeover and privilege escalation via Stored DOM XSS in the backup module filename field. An attacker can manipulate this field using a SQL file to inject a hidden XSS payload.
Risk Assessment
This vulnerability can lead to complete account takeover and privilege escalation, posing a serious threat to the security of the system and user data.
Recommendation
It is recommended to upgrade to version 0.31.5.0, where the issue has been patched, to secure the system against these attacks.
Original NVD description (English source)
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0.

