Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0.
Published: 2026-02-03
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

CI4MS, a modular CMS built on CodeIgniter 4, contains a flaw in its file creation and save endpoints. An authenticated user who has file editor privileges can upload and save arbitrary PHP code, which the server then executes. This leads to full remote code execution on the web server. The weakness is rooted in improper file type validation (CWE‑434) and uncontrolled code execution (CWE‑94).

Affected Systems

The vulnerability affects the CI4MS CMS skeleton developed by ci4-cms-erp. All releases prior to version 0.28.5.0 are impacted, regardless of installation size or configuration, as long as file editor functionality is enabled. Versions 0.28.5.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 10 indicates a critical severity. EPSS is reported as less than 1% yet not zero, meaning exploits are unlikely but possible. The CVE is not present in the CISA KEV catalog. Attackers must be authenticated with file editor permissions, after which they can upload malicious PHP via HTTP requests. Once the code is saved, it is executed on the server without further input, giving the attacker full control over the affected system.

Generated by OpenCVE AI on April 18, 2026 at 18:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the CVE‑patched update, upgrading CI4MS to version 0.28.5.0 or later
  • Limit file editor permissions to only trusted administrators to reduce attack surface
  • Validate uploaded files to enforce PHP extension checks and disallow execution of uploaded code; remove any existing malicious files from the server

Generated by OpenCVE AI on April 18, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gp56-f67f-m4px CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor
History

Tue, 10 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Tue, 03 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0.
Title CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor
Weaknesses CWE-434
CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:29:00.821Z

Reserved: 2026-02-02T18:21:42.486Z

Link: CVE-2026-25510

cve-icon Vulnrichment

Updated: 2026-02-04T16:28:55.410Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T22:16:31.587

Modified: 2026-02-10T18:41:41.270

Link: CVE-2026-25510

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:45:05Z

Weaknesses