CVE-2026-41201 — CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalat

Description

An attacker can achieve Full Account Takeover and Privilege Escalation via Stored DOM XSS in the backup module's filename field, which is manipulated through an SQL file that tampers with the filename field to contain a hidden XSS payload.

How to fix CVE-2026-41201

To remediate CVE-2026-41201, upgrade the affected package to a fixed version below.

—upgrade to 0.31.5.0 or later

Is CVE-2026-41201 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.31.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-41201
PATCHgithub.com/ci4-cms-erp/ci4ms
WEBgithub.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0
WEBgithub.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-qxpq-82f3-xj47