Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess() action accepts a POST parameter tables[] containing arbitrary table names. These are passed directly to $forge->dropTable() without validating that the tables belong to the theme being deleted. The deleteConfirm view correctly populates tables[] from the theme's own migration files, but the server-side deleteProcess does not verify the received values against those files. An authenticated admin can craft a POST request with arbitrary table names and drop any table in the database. This issue has been patched in version 0.31.8.0.
Published: 2026-05-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CI4MS is a CodeIgniter 4‑based CMS skeleton that supports theme deletion. The vulnerability lies in the deleteProcess() action, which accepts a POST parameter tables[] containing arbitrary table names. The values are passed directly to $forge->dropTable() without validation, enabling an authenticated admin to drop any table in the database. This can lead to irreversible data loss and potentially disrupt application availability.

Affected Systems

The flaw affects all CI4MS releases from version 0.31.1.0 up through the pre‑0.31.8.0 series. Systems running any of those versions with administrative access are vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium‑to‑high severity issue, and the lack of an EPSS rating means the exploitation probability is unknown. The vulnerability is not listed in CISA’s KEV catalog, but because it requires authenticated administrative rights, it represents a moderate systemic risk. An attacker who can log in as a privileged administrator could send a crafted POST request to the deleteProcess endpoint to drop arbitrary tables, leading to data loss.

Generated by OpenCVE AI on May 7, 2026 at 05:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CI4MS to version 0.31.8.0 or later, which validates table names before dropping them.
  • Restrict administrative access so that only trusted users can delete themes and perform database operations.
  • Implement server‑side checks in the deleteProcess endpoint to verify that requested tables match the theme’s migration files or other housekeeping data.
  • Maintain regular database backups to recover from accidental data loss if an exploit occurs.

Generated by OpenCVE AI on May 7, 2026 at 05:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vgrf-pr28-vf98 CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess
History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Ci4-cms-erp
Ci4-cms-erp ci4ms
Vendors & Products Ci4-cms-erp
Ci4-cms-erp ci4ms

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess() action accepts a POST parameter tables[] containing arbitrary table names. These are passed directly to $forge->dropTable() without validating that the tables belong to the theme being deleted. The deleteConfirm view correctly populates tables[] from the theme's own migration files, but the server-side deleteProcess does not verify the received values against those files. An authenticated admin can craft a POST request with arbitrary table names and drop any table in the database. This issue has been patched in version 0.31.8.0.
Title CI4MS: Arbitrary Database Table Drop via Theme deleteProcess
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ci4-cms-erp Ci4ms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:42:35.440Z

Reserved: 2026-04-22T15:11:54.671Z

Link: CVE-2026-41890

cve-icon Vulnrichment

Updated: 2026-05-07T13:42:20.320Z

cve-icon NVD

Status : Received

Published: 2026-05-07T04:16:33.740

Modified: 2026-05-07T04:16:33.740

Link: CVE-2026-41890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T06:15:23Z

Weaknesses