CVE-2026-41201 — AI Deep Analysis Summary

🚨 **Essence**: DOM XSS in CI4MS Backup Module. 📉 **Consequences**: Attackers inject malicious scripts via tampered SQL filenames. This leads to **Full Account Takeover** and **Privilege Escalation**.…

🛡️ **CWE**: CWE-79 (Improper Neutralization of Input During Web Page Generation). 🔍 **Flaw**: The application fails to sanitize user-controlled input (file names) in the backup module.…

📦 **Product**: CI4MS (CodeIgniter 4 CMS). 🏢 **Vendor**: ci4-cms-erp. 📅 **Affected Versions**: Specifically **v0.31.4.0** and likely earlier versions. ✅ **Fixed In**: v0.31.5.0.

💀 **Attacker Actions**: 1. Inject hidden XSS payloads into backup files. 2. Trigger execution when admins view backups. 3. **Steal Admin Cookies/Sessions**. 4. **Take over Admin Accounts**. 5.…

🔐 **Auth Required**: YES. The CVSS vector shows **PR:H** (Privileges Required: High). 🎯 **Threshold**: Medium-High.…

🚫 **Public Exploit**: NO. The `pocs` array is empty in the data. 🌐 **Wild Exploitation**: None reported.…

🔍 **Self-Check**: 1. Check your CI4MS version. Is it **0.31.4.0**? 2. Inspect the **Backup Module**. 3. Look for unsanitized file name displays in the UI. 4. Scan for reflected/stored XSS in backup file inputs.…

✅ **Fixed**: YES. The vendor released patch **v0.31.5.0**. 🔗 **Reference**: GitHub Release & Security Advisory (GHSA-qxpq-82f3-xj47). 🔄 **Action**: Upgrade immediately to the latest stable version.

🚧 **No Patch Workaround**: 1. **Disable Backup Module** if not needed. 2. Implement **WAF Rules** to block XSS payloads in file upload fields. 3. Enforce strict **Input Validation** on file names. 4.…

🔥 **Urgency**: HIGH. 📊 **CVSS Score**: High (Vector indicates High Impact on Confidentiality, Integrity, Availability). ⏳ **Priority**: Patch immediately. Account takeover is a critical business risk.…