Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application's response during the password reset process. This issue has been patched in version 0.28.5.0.
Published: 2026-02-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure – user email enumeration
Action: Apply Patch
AI Analysis

Impact

A flaw in CI4MS’s authentication logic allows an attacker with no credentials to discover whether a given email address is registered in the system by observing differing responses during the password‑reset flow. The vulnerability exposes user identities, thereby providing valuable information for targeted phishing or social‑engineering attacks without granting any additional system privileges.

Affected Systems

All installations of CI4MS earlier than version 0.28.5.0 run the vulnerable code. The affected product is the CI4MS CMS skeleton from the vendor ci4‑cms‑erp. No specific sub‑versions are listed beyond that cut‑off, so any release before 0.28.5.0 is considered impacted.

Risk and Exploitability

The CVSS score of 5.3 places the flaw in the moderate range, and the EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. The defect is not listed in CISA’s Known Exploited Vulnerabilities catalog. A likely exploitation path is a web‑based request to the password‑reset endpoint, which a remote attacker can repeatedly query with arbitrary email addresses to see whether the application returns a success or error message. No authentication or privileged context is required to carry out the enumeration.

Generated by OpenCVE AI on April 18, 2026 at 14:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CI4MS to version 0.28.5.0 or later, which contains the patch that removes the email‑enumeration behavior.
  • If an immediate upgrade is not possible, limit the password‑reset function so that only users with authenticated administrative privileges can initiate a reset, effectively blocking unauthenticated enumeration attempts.
  • Add a CAPTCHA or similar bot‑mitigation measure to the password‑reset form to increase the effort required for automated enumeration queries.

Generated by OpenCVE AI on April 18, 2026 at 14:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-654x-9q7r-g966 CI4MS Vulnerable to User Email Enumeration via Password Reset Flow
History

Tue, 10 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-203
CPEs cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Tue, 03 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application's response during the password reset process. This issue has been patched in version 0.28.5.0.
Title CI4MS Vulnerable to User Email Enumeration via Password Reset Flow
Weaknesses CWE-204
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:30:49.532Z

Reserved: 2026-02-02T18:21:42.486Z

Link: CVE-2026-25509

cve-icon Vulnrichment

Updated: 2026-02-04T16:30:46.635Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T22:16:31.433

Modified: 2026-02-10T18:41:26.530

Link: CVE-2026-25509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses