Packagist · Ci4-Cms-Erp/Ci4Ms · CVE-2026-41201
**Name of the Vulnerable Software and Affected Versions**
CI4MS versions prior to 0.31.5.0
**Description**
A Stored DOM XSS (Cross-Site Scripting) issue exists in the backup module. An attacker can manipulate the filename field using an SQL file to inject a hidden XSS payload, potentially leading to full account takeover and privilege escalation.
**Recommendations**
Update to version 0.31.5.0.
As a temporary workaround, restrict access to the backup module to minimize the risk of exploitation.