CVE-2026-25509

Published: Feb 3, 2026Modified: Feb 10, 2026

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application's response during the password reset process. This issue has been patched in version 0.28.5.0.

Affected (1)

Products: Ci4 Cms Erp: Ci4ms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ci4 Cms Erp Ci4ms	Before 0.28.5.0

Related CWEs

Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

References (2)

https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653

Source: security-advisories@github.com

Patch

https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-654x-9q7r-g966

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.