External risk intelligence

Attacker can take over CI4MS accounts and gain admin control by tricking users with malicious files.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-41201

An attacker can fully take over accounts and gain admin control in CI4MS by tricking users with malicious backup filenames, potentially exposing sensitive data. A patch is available.

4Halo Surface Signal

Cross-site Scripting

External exposure likelihood

Halo Surface Signal score for CVE-2026-41201

CI4MS is a content management system, which is a class of software commonly deployed as an internet-facing web application. Although the vulnerability requires authenticated access to the backup module, the underlying product is a web-based platform typically exposed to the public internet for administrative and operational use.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This issue in CI4MS, a content management system, allows an attacker to take over accounts and elevate privileges. It involves injecting malicious code into a filename within the backup module, which then executes within the user's browser. This could allow unauthorized access to sensitive data or system control.

  • Full account takeover is possible.
  • Privilege escalation can occur.
  • Requires existing access to the backup module.

Attack Path

How an attacker could exploit the issue

An authenticated attacker could abuse this flaw by uploading a crafted SQL file, which would then tamper with a backup module's filename field to inject a hidden XSS payload. This could lead to full account takeover and privilege escalation by executing arbitrary code within the victim's browser session.

  • Requires authenticated access.
  • Target is backup module filename.
  • SQL file used to inject payload.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for account takeover and privilege escalation through stored DOM XSS, which attackers often favor for its potential to compromise user sessions and gain deeper access. While exploitation requires authenticated access, the nature of the vulnerability as a stored XSS in a CMS framework presents a persistent threat. The patch is available, but whether attackers will actively weaponize it depends on the installed base and difficulty of exploiting the specific conditions.

  • Stored XSS is a desirable attack type.
  • Patch is available.
  • Exploit requires authentication.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching CI4MS to version 0.31.5.0 immediately to address the critical Stored DOM XSS vulnerability. If patching is delayed, implement strict access controls and monitor backup module activity for suspicious filenames or unexpected behavior.

  • Patch to version 0.31.5.0.
  • Restrict access to backup module.
  • Monitor backup filenames for XSS.

Frequently asked questions

What is CI4MS and what is it used for?

CI4MS is a content management system (CMS) built using CodeIgniter 4. It provides a modular architecture for websites, offering features like role-based access control and theme support, making it a ready-to-use platform for web development.

How does CVE-2026-41201 impact CI4MS?

CVE-2026-41201 is a Stored DOM Cross-Site Scripting (XSS) vulnerability. It allows an attacker to inject malicious code into a filename within the backup module, leading to account takeover and privilege escalation.

What steps must an attacker take to exploit this vulnerability?

An attacker needs authenticated access to the backup module. They then upload a SQL file that manipulates a backup filename, embedding an XSS payload. This payload executes in the victim's browser when the filename is processed.

Who should be concerned about this vulnerability based on its exposure?

Organizations using CI4MS should be concerned, as this vulnerability is classified as external. This means the software is often deployed in ways that could be accessible from the internet, even though exploitation requires authenticated access to a specific module.

What is the first step to address this CVE in CI4MS?

The immediate and most important step is to update CI4MS to version 0.31.5.0, which contains the fix for this vulnerability. If immediate patching isn't possible, restricting access to the backup module and monitoring its activity is recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished