CVE-2026-25510

Published: Feb 3, 2026Modified: Feb 10, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0.

Affected (1)

Products: Ci4 Cms Erp: Ci4ms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ci4 Cms Erp Ci4ms	Before 0.28.5.0

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653

Source: security-advisories@github.com

Patch

https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.