CVE-2026-25510
EUVD-2026-516203.02.2026, 22:16
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| ci4-cms-erp | ci4ms | 𝑥 < 0.28.5.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-94 - Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- CWE-434 - Unrestricted Upload of File with Dangerous TypeThe software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.