CVE-2026-25510

CRITICAL

Ci4-cms-erp Ci4ms < 0.28.5.0 - Code Injection

Title source: rule

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0.

References (2)

[Exploit, Vendor Advisory] https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px

[Patch] https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653

View Patch ZIP pw:eip

Scores

CVSS v3 9.9

EPSS 0.0016

EPSS Percentile 36.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94 CWE-434

Status published

Products (2)

ci4-cms-erp/ci4ms < 0.28.5.0

ci4-cms-erp/ci4ms 0 - 0.28.5.0Packagist

Published Feb 03, 2026

Tracked Since Feb 18, 2026