Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0.
Published: 2026-05-07
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored DOM XSS in the backup module of CI4MS, specifically in the filename field. An attacker can embed a hidden XSS payload by tampering with the filename when a SQL file is processed. This flaw allows the execution of arbitrary JavaScript in the context of an authenticated user and is classified as CWE-79. The primary impact is that an attacker can gain full control over any user account and elevate privileges to the highest level, effectively taking over the entire system.

Affected Systems

Vendor ci4-cms-erp offers the CI4MS CMS. Versions affected include 0.31.4.0. The vulnerability was fixed in version 0.31.5.0. All installations running 0.31.4.0 or earlier are vulnerable.

Risk and Exploitability

The assigned CVSS score of 9.1 indicates a critical level of risk. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector involves uploading or injecting a crafted SQL file that modifies the backup filename, enabling the stored XSS payload to execute when accessed. Because the flaw achieves full account takeover, the threat is significant even if the exploitation conditions require some level of access to the backup functionality.

Generated by OpenCVE AI on May 7, 2026 at 05:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CI4MS to version 0.31.5.0 or later to apply the official fix for the stored DOM XSS in the backup module.
  • If an upgrade cannot be performed immediately, disable the backup module or restrict its access to only the highest‑privilege accounts, and prevent arbitrary SQL file uploads to that module.
  • Apply strict input validation on the backup filename field and implement a Content‑Security‑Policy that blocks inline scripts to mitigate any remaining XSS vectors.

Generated by OpenCVE AI on May 7, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qxpq-82f3-xj47 CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS
History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0.
Title CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS Version 2
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T14:07:34.294Z

Reserved: 2026-04-18T02:51:52.974Z

Link: CVE-2026-41201

cve-icon Vulnrichment

Updated: 2026-05-07T14:07:31.176Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T04:16:26.240

Modified: 2026-05-07T14:57:13.077

Link: CVE-2026-41201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T07:30:24Z

Weaknesses