PT-2026-34596 · Packagist+1 · Ci4-Cms-Erp/Ci4Ms+1
Bugmithlegend
+1
·
Published
2026-04-22
·
Updated
2026-05-12
·
CVE-2026-41201
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
CI4MS versions prior to 0.31.5.0
Description
A Stored DOM XSS (Cross-Site Scripting) issue exists in the backup module. An attacker can manipulate the filename field using an SQL file to inject a hidden XSS payload, potentially leading to full account takeover and privilege escalation.
Recommendations
Update to version 0.31.5.0.
As a temporary workaround, restrict access to the backup module to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ci4-Cms-Erp/Ci4Ms
Ci4Ms