Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version 0.31.7.0, a theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files inside the ZIP are installed into the web-accessible public/ directory with no extension or content filtering, making them directly executable via HTTP. This issue has been patched in version 0.31.7.0.
Published: 2026-05-07
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in CI4MS is an unrestricted file upload in the theme installation process that allows any authenticated backend user who has theme‑upload permission to upload a ZIP archive containing PHP code. When unpacked, the PHP files are copied into the public/ directory without extension or content filtering, making them directly executable through HTTP. This leads to authenticated remote code execution (RCE), a severe threat that allows an attacker to execute arbitrary code on the web server and potentially gain full control. The vulnerability is classified under CWE‑434, file upload through insecure handling.

Affected Systems

The affected product is the CI4MS framework developed by ci4‑cms‑erp. Versions starting with 0.26.0.0 up to, but not including, 0.31.7.0 are vulnerable. Any deployment of these versions that has the theme upload feature enabled for authenticated users is at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.6, indicating a high severity and a substantial impact on confidentiality, integrity and availability. While the EPSS score is not available, the fact that exploitation requires only authentication and a permissive trait means the risk is still significant. The flaw is not listed in CISA’s KEV catalog. Attackers can trigger it by logging into the backend, selecting the theme‑upload function, and uploading a crafted ZIP. Once the malicious files are extracted, they can be accessed via the public URL, allowing immediate remote code execution.

Generated by OpenCVE AI on May 7, 2026 at 05:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to CI4MS version 0.31.7.0 or later for the fix
  • Restrict the theme‑upload permission to trusted administrators only
  • If theme upload is not needed, disable or remove the upload capability
  • Scan the public/ directory for any uploaded PHP files and delete them

Generated by OpenCVE AI on May 7, 2026 at 05:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fw49-9xq4-gmx6 CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution
History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version 0.31.7.0, a theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files inside the ZIP are installed into the web-accessible public/ directory with no extension or content filtering, making them directly executable via HTTP. This issue has been patched in version 0.31.7.0.
Title CI4MS: Unrestricted PHP File Upload via Theme Installation Leads to Authenticated Remote Code Execution
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:43:20.471Z

Reserved: 2026-04-21T14:15:21.959Z

Link: CVE-2026-41587

cve-icon Vulnrichment

Updated: 2026-05-07T13:43:05.794Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T04:16:27.860

Modified: 2026-05-07T15:16:07.307

Link: CVE-2026-41587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T06:00:16Z

Weaknesses