CVE-2026-41201 Overview
CVE-2026-41201 is a stored Document Object Model (DOM) Cross-Site Scripting (XSS) vulnerability in CI4MS, a CodeIgniter 4-based content management system (CMS) skeleton with role-based access control (RBAC) and theme support. The flaw exists in version 0.31.4.0 and affects the backup module's filename field. An attacker can craft a SQL backup file whose filename contains a hidden XSS payload, which executes in the browser of any privileged user who views the backup listing. Successful exploitation enables full account takeover and privilege escalation. The maintainers fixed the issue in version 0.31.5.0.
Critical Impact
Authenticated attackers can hijack administrator sessions and escalate privileges by injecting JavaScript through a backup filename, leading to full compromise of the CMS.
Affected Products
- CI4MS version 0.31.4.0
- CodeIgniter 4-based deployments using the CI4MS backup module
- Installations prior to the 0.31.5.0 release
Discovery Timeline
- 2026-05-07 - CVE-2026-41201 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-41201
Vulnerability Analysis
The vulnerability is a stored DOM-based XSS issue tracked under [CWE-79]. The CI4MS backup module accepts SQL files and renders the filename in the administrative interface without proper output encoding or sanitization. An attacker who can upload or place a backup file controls the rendered filename and can embed JavaScript that executes when an administrator opens the backup view.
Because the payload is persisted server-side and triggered on each render, every administrator that loads the page executes the attacker's script. The script runs with the session context of the victim, which permits session token theft, forced privilege changes, and creation of new administrative accounts. The Common Vulnerability Scoring System (CVSS) vector indicates a scope change, reflecting that code injected in one component impacts the broader administrative session.
Root Cause
The root cause is missing input validation and output encoding on the backup filename field. The application treats filenames as trusted strings and writes them into the DOM without applying contextual escaping. CodeIgniter 4 provides escaping helpers, but the backup module does not invoke them when rendering filenames in the listing view.
Attack Vector
An authenticated attacker with permission to create or upload a backup crafts a SQL file whose name embeds an XSS payload, for example using HTML event handlers within the filename string. The file is stored by the backup module and listed in the administrative dashboard. When a higher-privileged user loads the dashboard, the browser parses the filename as HTML and executes the embedded script. The script can issue same-origin requests to RBAC endpoints, modify roles, or exfiltrate session data.
No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-qxpq-82f3-xj47 for maintainer technical details.
Detection Methods for CVE-2026-41201
Indicators of Compromise
- Backup files with non-standard filenames containing HTML tags, angle brackets, or JavaScript event handlers such as onerror= or onload=.
- Unexpected creation of new administrative accounts or RBAC role changes shortly after a backup file is uploaded.
- Outbound HTTP requests from administrator browsers to unfamiliar domains immediately after viewing the backup module.
Detection Strategies
- Inspect the backup storage directory for filenames that include characters outside the expected [A-Za-z0-9._-] set.
- Review web server access logs for POST requests to backup creation endpoints followed by administrator GET requests to the backup listing.
- Add web application firewall (WAF) rules that flag filenames containing <script, onerror, onload, or javascript: substrings.
Monitoring Recommendations
- Monitor RBAC tables and audit logs for unauthorized role escalations or new administrator creations.
- Alert on changes to user session tokens and concurrent sessions originating from different IP addresses.
- Track upload activity in the backup module and correlate with subsequent privilege changes.
How to Mitigate CVE-2026-41201
Immediate Actions Required
- Upgrade CI4MS to version 0.31.5.0 or later, which contains the official fix.
- Audit all existing backup filenames and remove any entry containing HTML or scripting characters.
- Rotate administrator credentials and invalidate active sessions if exploitation is suspected.
Patch Information
The maintainers patched the issue in CI4MS release 0.31.5.0. Details are documented in the GitHub Security Advisory GHSA-qxpq-82f3-xj47. Apply the upgrade following the project's standard deployment procedure and verify that the backup module renders filenames safely after the update.
Workarounds
- Restrict access to the backup module to a minimal set of trusted administrators until the patch is applied.
- Enforce a server-side filename allow-list that rejects any name not matching ^[A-Za-z0-9._-]+\.sql$.
- Deploy a Content Security Policy (CSP) that disallows inline scripts to reduce the impact of stored XSS payloads.
# Configuration example: enforce strict filename validation and CSP header
# Nginx CSP header for the CI4MS admin path
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'" always;
# Example shell check to flag suspicious backup filenames
find /var/www/ci4ms/writable/backups -type f \
! -regex '.*/[A-Za-z0-9._-]+\.sql$' \
-print
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
