Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0.
Published: 2026-05-07
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CI4MS’s Theme::upload function extracts user provided ZIP archives without validating the path names of the entries. An authenticated backend user possessing the theme‑create permission can embed a directory traversal payload such as ../../../../public/evil.php. When the archive is extracted, the PHP file is written into the web root, where it can be accessed and executed by an attacker, allowing arbitrary code run on the server.

Affected Systems

The affected product is the ci4ms CMS provided by ci4-cms-erp. Any install running a version earlier than 0.31.5.0 is vulnerable. The patch was released in release 0.31.5.0.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.4, indicating critical severity. The EPSS score is not available, and the issue is not listed in CISA’s KEV catalog. Exploitation requires an authenticated user with the theme‑create role, a condition that is usually satisfied by content administrators or developers. Once the malicious PHP file is dropped, the attacker achieves remote code execution with the privileges of the web server process. The lack of additional access controls makes the attack vector straightforward for any such user.

Generated by OpenCVE AI on May 7, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ci4ms to version 0.31.5.0 or later
  • Revoke or limit theme‑create permissions to trusted accounts only
  • Audit the filesystem for uploaded PHP payloads and remove them

Generated by OpenCVE AI on May 7, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xv3r-vr59-95rg CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE
History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0.
Title ci4ms Theme::upload is vulnerable to Zip Slip leading to RCE
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:49:58.012Z

Reserved: 2026-04-18T02:51:52.974Z

Link: CVE-2026-41203

cve-icon Vulnrichment

Updated: 2026-05-07T13:46:23.739Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T04:16:27.670

Modified: 2026-05-07T15:16:06.593

Link: CVE-2026-41203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T05:30:22Z

Weaknesses