Critical severity9.1GHSA Advisory· Published May 7, 2026· Updated May 7, 2026

CVE-2026-41201

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ci4-cms-erp/ci4msPackagist	< 0.31.5.0	0.31.5.0

Affected products

Ci4 Cms Erp/Ci4msGHSA
Range: < 0.31.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-qxpq-82f3-xj47ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41201ghsaADVISORY
github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0nvdWEB
github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-qxpq-82f3-xj47nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000