CI4MS: Unrestricted PHP File Upload via Theme Installation Leads to...

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version 0.31.7.0, a theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files inside the ZIP are installed into the web-accessible public/ directory with no extension or content filtering, making them directly executable via HTTP. This issue has been patched in version 0.31.7.0.

AI Analysis

Unrestricted PHP file upload via theme installation leads to authenticated remote code execution

Basic Information

ID CVE-2026-41587

Source GitHub_M

Published May 7, 2026 at 03:14

Affected Product

Vendor ci4-cms-erp

Product ci4ms

Version >= 0.26.0.0, < 0.31.7.0

Affected Versions ci4-cms-erp ci4ms >= 0.26.0.0, < 0.31.7.0

CWE Classification

CWE-434

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor ci4-cms-erp

Product CI4MS

Version 0.26.0.0 to 0.31.7.0

References

{
    "lastseen": "",
    "description": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version 0.31.7.0, a theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files inside the ZIP are installed into the web-accessible public/ directory with no extension or content filtering, making them directly executable via HTTP. This issue has been patched in version 0.31.7.0.",
    "published": "2026-05-07T03:14:38.631Z",
    "modified": "2026-05-07T03:14:38.631Z",
    "type": "cve",
    "title": "CI4MS: Unrestricted PHP File Upload via Theme Installation Leads to Authenticated Remote Code Execution",
    "source": "GitHub_M",
    "references": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fw49-9xq4-gmx6\nhttps://github.com/ci4-cms-erp/ci4ms/commit/b969465e71eacd9eb57014ad1fce1fc34fa7bca0",
    "id": "CVE-2026-41587",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "ci4-cms-erp ci4ms >= 0.26.0.0, < 0.31.7.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ci4ms",
    "version": ">= 0.26.0.0, < 0.31.7.0",
    "vendor": "ci4-cms-erp",
    "ai_description": "Unrestricted PHP file upload via theme installation leads to authenticated remote code execution",
    "ai_severity": "High",
    "ai_vendor": "ci4-cms-erp",
    "ai_product": "CI4MS",
    "ai_version": "0.26.0.0 to 0.31.7.0",
    "ai_score": 8.6
}

CI4MS: Unrestricted PHP File Upload via Theme Installation Leads to Authenticated Remote Code Execution_CVE-2026-41587