cbcvebase.
CVE-2026-25510
published 2026-02-03

CVE-2026-25510: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.80%
52.2th percentile
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
ci4-cms-erpci4ms< 0.28.5.00.28.5.0
ci4-cms-erpci4ms>= 0 < 0.28.5.00.28.5.0

Detection & IOCsextracted from sources · hover to see the quote

  • An authenticated user with file editor permissions abuses file creation and save endpoints to upload and execute arbitrary PHP code on the server, resulting in RCE.
  • ·Vulnerability only affects CI4MS versions prior to 0.28.5.0; exploitation requires an authenticated session with file editor permissions (not unauthenticated).
  • ·The issue has been patched; upgrading to version 0.28.5.0 or later remediates the vulnerability.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.