{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "= 0.31.4.0"
              },
              {
                "last_affected": "= 0.31.4.0"
              }
            ],
            "source": [
              "AFFECTED_FIELD",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "379ebb6022883c1bc01dba9db3c19ff29c46b7dd"
            },
            {
              "fixed": "418f0bf2b04ee9b046ea296c55d31466ecd0c919"
            }
          ],
          "repo": "https://github.com/ci4-cms-erp/ci4ms",
          "type": "GIT"
        }
      ],
      "versions": [
        "= 0.31.4.0"
      ]
    }
  ],
  "aliases": [
    "GHSA-qxpq-82f3-xj47"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41201.json"
  },
  "details": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover \u0026 Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0.",
  "id": "CVE-2026-41201",
  "modified": "2026-07-08T05:36:56.583722910Z",
  "published": "2026-05-07T03:16:41.280Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41201.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-qxpq-82f3-xj47"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41201"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CI4MS: Backup Management Full Account Takeover for All-Roles \u0026 Privilege-Escalation via Stored DOM Blind XSS Version 2"
}