CVE-2026-41201 in ci4ms
Résumé
par MITRE • 07/05/2026
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.