cbcvebase.
CVE-2026-39394
published 2026-04-08

CVE-2026-39394: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.52%
40.0th percentile
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings(), which writes it into the .env file via preg_replace(). Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration directives into the .env file. The install routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when cache('settings') is empty (cache expiry or fresh deployment). This vulnerability is fixed in 0.31.4.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
ci4-cms-erpci4ms< 0.31.4.00.31.4.0
ci4-cms-erpci4ms>= 0 < 0.31.4.00.31.4.0

Detection & IOCsextracted from sources · hover to see the quote

path.env
  • Monitor POST requests to the install route (Install::index() controller) containing newline characters (\n or \r\n) in the `host` parameter, which indicates an attempt to inject arbitrary directives into the .env file.
  • Alert on unauthenticated POST requests to the install/setup wizard route, especially when the application cache is empty (cache miss on 'settings'), as the InstallFilter guard fails open under this condition.
  • Detect unexpected modifications to the .env file on disk (file integrity monitoring), particularly following unauthenticated requests to the install route.
  • ·The InstallFilter bypass is conditional: it only occurs when cache('settings') is empty due to TTL expiry, cache clear, or fresh deployment. Detection and blocking logic must account for this transient window.
  • ·CSRF protection is explicitly disabled on the install routes, meaning standard CSRF-based defenses will not block exploitation of this vulnerability.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.