CVE-2026-41201: Critical CI4MS Account Takeover Via Stored XSS
The National Vulnerability Database has disclosed CVE-2026-41201, a critical vulnerability in CI4MS, a CodeIgniter 4-based CMS skeleton. This flaw, present in version 0.31.4.0, allows an attacker to achieve full account takeover and privilege escalation. The attack vector is a stored DOM XSS payload hidden within a manipulated SQL backup filename field. This effectively bypasses typical input sanitization.
The attacker’s calculus here is clear: inject the XSS payload into a seemingly innocuous field during a backup operation. When an administrator or privileged user later accesses or restores from this malicious backup, the hidden XSS triggers, granting the attacker their session and elevated privileges. This is a classic example of an attacker leveraging trust in system-generated data.
CI4MS users running version 0.31.4.0 are directly exposed. The National Vulnerability Database confirms this issue has been patched in version 0.31.5.0. Defenders must prioritize patching to mitigate this severe risk, which carries a CVSS score of 9.1 (Critical). This isn’t theoretical; it’s a direct path to total system compromise.
What This Means For You
- If your organization utilizes CI4MS, immediately verify your version. If you are running 0.31.4.0 or earlier, patch to 0.31.5.0 without delay. Furthermore, audit any recent backup operations for suspicious filenames or unexpected SQL file modifications, as this is the primary vector for injecting the XSS payload.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41201: CI4MS Backup Module Stored XSS Payload
title: CVE-2026-41201: CI4MS Backup Module Stored XSS Payload
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
Detects the specific Stored DOM XSS payload targeting the backup module's filename parameter in CI4MS version 0.31.4.0. This payload is designed to achieve account takeover.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41201/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/ci4ms/backup'
cs-uri-query|contains:
- 'filename='
cs-uri-query|contains:
- '<script>alert(document.domain)</script>'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41201 | XSS | CI4MS version 0.31.4.0 |
| CVE-2026-41201 | Privilege Escalation | CI4MS version 0.31.4.0 |
| CVE-2026-41201 | Auth Bypass | CI4MS version 0.31.4.0 |
| CVE-2026-41201 | XSS | Stored DOM XSS in backup module filename field |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 07, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8063 — Null Pointer Dereference
CVE-2026-8063 — An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the...
WP-Optimize Plugin Flaw Allows Arbitrary File Deletion, RCE via wp-config.php
CVE-2026-7252 — The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary...
CVE-2026-6692: WordPress Slider Revolution RCE Vulnerability
CVE-2026-6692 — The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function....