CVE-2026-41201
BaseFortify
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ci4-cms-erp | ci4ms | to 0.31.5.0 (exc) |
| ci4-cms-erp | ci4ms | 0.31.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41201 is a critical vulnerability in the ci4-cms-erp/ci4ms package, specifically in version 0.31.4.0 and earlier. It involves a Stored DOM Blind Cross-Site Scripting (XSS) flaw in the backup module's filename field.
An attacker can exploit this vulnerability by manipulating a SQL file to include a hidden XSS payload in the filename field. This allows the attacker to execute malicious scripts in the context of the victim's browser.
The impact of this vulnerability includes full account takeover and privilege escalation for all user roles, enabling the attacker to gain unauthorized access and control.
This issue was patched in version 0.31.5.0.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full account takeover and privilege escalation, allowing attackers to gain unauthorized access to user accounts and elevate their privileges.
Because the vulnerability affects confidentiality, integrity, and availability, attackers can compromise sensitive data, manipulate system functions, and disrupt service.
The CVSS score of 9.1 reflects the high severity and potential damage caused by this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the ci4ms software to version 0.31.5.0 or later, as this version includes critical security fixes addressing the Stored DOM Blind XSS flaw in the Backup module filename field, as well as other related vulnerabilities.
- Upgrade ci4ms to version 0.31.5.0 immediately.
- Review and apply any additional security patches or updates provided in the 0.31.5.0 release.
- Audit backup module usage and filenames for suspicious or unexpected entries that might contain malicious payloads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to achieve full account takeover and privilege escalation via a Stored DOM XSS flaw, which can lead to unauthorized access to sensitive data and system controls.
Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and mandate strict access controls.
Failure to patch this vulnerability could result in breaches of confidentiality, integrity, and availability of data, thereby violating regulatory requirements.