CVE-2026-41201

Published
View on NVD ↗
CVSS v3
9.1
CRITICAL
CVSS v2
N/A
Affected
1
PROJECT

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0.

ci4-cms-erp/ci4ms
ci4-cms-erp/ci4ms
Modular CodeIgniter 4 CMS featuring RBAC admin, theming, blog/page management, elFinder media integration, and CLI tooling for rapid customization.
GitHubGitHub
24