CVE-2026-39389

MEDIUM

CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files

Title source: cna

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.

References (1)

[X_Refsource_Confirm] https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-9rxp-f27p-wv3h

Scores

CVSS v3 6.7

EPSS 0.0002

EPSS Percentile 4.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-285

Status published

Products (2)

ci4-cms-erp/ci4ms < 0.31.4.0 (2 CPE variants)

ci4-cms-erp/ci4ms 0 - 0.31.4.0Packagist

Published Apr 08, 2026

Tracked Since Apr 08, 2026