cbcvebase.
CVE-2026-45139
published 2026-05-18

CVE-2026-45139: CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations ## Summary The…

medium
CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations

## Summary

The Fileeditor module enforces an extension allowlist (`['css','js','html','txt','json','sql','md']`) on content-write operations (`saveFile`, `createFile`), but two destructive endpoints — `deleteFileOrFolder` and `renameFile` — never validate the extension of the *source* path. A backend user with file-editor permissions can therefore unlink or rename any file inside the project root that is not explicitly listed in the small `$hiddenItems` blocklist. Critical framework files such as `app/Config/Routes.php`, `app/Config/App.php`, `app/Config/Database.php`, `app/Config/Filters.php`, `public/index.php`, and `public/.htaccess` all live outside that blocklist and can be destroyed, producing a persistent denial of service that requires filesystem-level redeployment to recover.

## Details

Root cause: inconsistent application of the extension allowlist across Fileeditor operations in `modules/Fileeditor/Controllers/Fileeditor.php`.

The class declares an allowlist used by content-write operations:

```php
// modules/Fileeditor/Controllers/Fileeditor.php:9
protected $allowedExtensions = ['css', 'js', 'html', 'txt', 'json', 'sql', 'md'];

// line 239
private function allowedFileTypes(string $file): bool
{
$extension = pathinfo($file, PATHINFO_EXTENSION);
if (!in_array(strtolower($extension), $this->allowedExtensions)) {
return false;
}
return true;
}
```

`saveFile` (line 110) and `createFile` (line 167) correctly call `allowedFileTypes()` against the target path before writing. The two destructive endpoints do not:

```php
// deleteFileOrFolder — modules/Fileeditor/Controllers/Fileeditor.php:210-237
public function deleteFileOrFolder()
{
$valData = ([
'path' => ['label' => '', 'rules' => 'required|max_length[255]|regex_match[/^[a-zA-Z0-9_ \-\.\/]+$/]'],
]);
if ($this->validate($valData) == false) return $this->fail($this->va

Affected

1 ranges
VendorProductVersion rangeFixed in
ci4-cms-erpci4ms>= 0 < 0.31.9.00.31.9.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.