Executive Summary

CVE-2026-41201 is a critical vulnerability in the ci4-cms-erp/ci4ms package, specifically in version 0.31.4.0 and earlier. It involves a Stored DOM Blind Cross-Site Scripting (XSS) flaw in the backup module's filename field.

An attacker can exploit this vulnerability by manipulating a SQL file to include a hidden XSS payload in the filename field. This allows the attacker to execute malicious scripts in the context of the victim's browser.

The impact of this vulnerability includes full account takeover and privilege escalation for all user roles, enabling the attacker to gain unauthorized access and control.

This issue was patched in version 0.31.5.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including full account takeover and privilege escalation, allowing attackers to gain unauthorized access to user accounts and elevate their privileges.

Because the vulnerability affects confidentiality, integrity, and availability, attackers can compromise sensitive data, manipulate system functions, and disrupt service.

The CVSS score of 9.1 reflects the high severity and potential damage caused by this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the ci4ms software to version 0.31.5.0 or later, as this version includes critical security fixes addressing the Stored DOM Blind XSS flaw in the Backup module filename field, as well as other related vulnerabilities.

• Upgrade ci4ms to version 0.31.5.0 immediately.
• Review and apply any additional security patches or updates provided in the 0.31.5.0 release.
• Audit backup module usage and filenames for suspicious or unexpected entries that might contain malicious payloads.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to achieve full account takeover and privilege escalation via a Stored DOM XSS flaw, which can lead to unauthorized access to sensitive data and system controls.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and mandate strict access controls.

Failure to patch this vulnerability could result in breaches of confidentiality, integrity, and availability of data, thereby violating regulatory requirements.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a Stored DOM Blind Cross-Site Scripting (XSS) flaw in the backup module's filename field, which is exploited by manipulating a SQL file to include a hidden XSS payload in the filename.

To detect this vulnerability on your system, you should check if you are running ci4ms version 0.31.4.0 or earlier, as the issue is patched in version 0.31.5.0.

You can inspect backup filenames for suspicious or encoded script payloads that may indicate exploitation attempts.

Since the vulnerability is related to stored XSS in filenames, commands to search for suspicious patterns in backup filenames could include:

• Using grep to find suspicious script tags or encoded payloads in backup filenames or SQL files: grep -r -iE "<script|%3Cscript|onerror|onload" /path/to/backup/directory
• Listing backup files with unusual characters or extensions that might contain payloads: ls -l /path/to/backup/directory | grep -E "\.sql$|\.zip$"

Additionally, reviewing logs for unusual access patterns or privilege escalations related to backup module usage may help detect exploitation.

Ultimately, the best mitigation and detection is to update to version 0.31.5.0 or later, which patches this vulnerability.

Useful 0 Not Useful 0