Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0.
Published: 2026-05-07
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Zip Slip flaw in the Backup::restore function of the CI4MS CMS. When an authenticated backend user with the backup create permission triggers a restore of a user–uploaded ZIP archive, the system extracts file entries without validating their names. This allows the attacker to place a PHP file under the public web root, enabling arbitrary code execution. The weakness is a path‑traversal issue (CWE‑22) that can be abused to modify or overwrite critical files or inject malicious scripts.

Affected Systems

CI4MS, a CodeIgniter 4–based CMS skeleton, is affected by all releases prior to version 0.31.5.0. Users of those versions that have the backup create permission in the backend are at risk.

Risk and Exploitability

The CVSS score is 9.4, indicating critical severity. EPSS is not available, and the issue is not listed in CISA’s KEV catalog. Exploitation requires only authentication to the backend with backup‑create privileges, which is typically granted to site administrators or content managers. Once an attacker uploads a crafted ZIP and triggers a restore, they can drop a PHP file into the web root and execute it. Because the flaw is client‑side and does not require special network access, the risk is high for any compromised or malicious administrator account.

Generated by OpenCVE AI on May 7, 2026 at 05:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ci4ms to version 0.31.5.0 or later to apply the vendor patch
  • Restrict the backup create permission to trusted administrator roles so that only privileged users can trigger a restore
  • If upgrade is not immediately possible, remove write permissions to the public web root for the web server and consider disabling the restore feature until the fix is applied

Generated by OpenCVE AI on May 7, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xp9f-pvvc-57p4 CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE
History

Thu, 07 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0.
Title ci4ms Backup::restore is vulnerable to Zip Slip leading to RCE
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T12:40:03.386Z

Reserved: 2026-04-18T02:51:52.974Z

Link: CVE-2026-41202

cve-icon Vulnrichment

Updated: 2026-05-07T12:39:37.302Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T04:16:27.453

Modified: 2026-05-07T14:57:13.077

Link: CVE-2026-41202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T05:30:22Z

Weaknesses