Ci4-Cms-Erp Ci4Ms vulnerabilities
36 known vulnerabilities affecting ci4-cms-erp/ci4ms.
Total CVEs
36
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL19HIGH9MEDIUM8
Vulnerabilities
Page 2 of 2
CVE-2026-34564P3CRITICALCVSS 9.0fixed in 0.31.0.02026-04-01
CVE-2026-34564 [CRITICAL] CWE-79 CVE-2026-34564: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture w
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Pages to navigation menus through the Menu Management functionality. Page-related data selected via the
ghsanvdosv
CVE-2026-34559P3CRITICALCVSS 9.0fixed in 0.31.0.02026-04-01
CVE-2026-34559 [CRITICAL] CWE-79 CVE-2026-34559: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture w
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog tags. An attacker can inject a malicious JavaScript payload into the tag name field, w
ghsanvdosv
CVE-2026-34568P3CRITICALCVSS 9.0fixed in 0.31.0.02026-04-01
CVE-2026-34568 [CRITICAL] CWE-79 CVE-2026-34568: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture w
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts. An attacker can inject a malicious JavaScript payload into blog post content, w
ghsanvdosv
CVE-2026-34989P3CRITICALCVSS 9.0fixed in 0.31.0.0fixed in 31.0.0.02026-04-06
CVE-2026-34989 [CRITICAL] CWE-79 CVE-2026-34989: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture w
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload int
ghsanvdosv
CVE-2026-34567P3CRITICALCVSS 9.0fixed in 0.31.0.02026-04-01
CVE-2026-34567 [CRITICAL] CWE-79 CVE-2026-34567: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture w
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts within the Categories section. An attacker can inject a malicious JavaScript pay
ghsanvdosv
CVE-2026-34561P3HIGHCVSS 8.4fixed in 0.31.0.02026-04-01
CVE-2026-34561 [HIGH] CWE-79 CVE-2026-34561: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture w
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Social Media Management. Multiple configuration fields, including Social Media and Social Media
ghsanvdosv
CVE-2026-39389P3HIGHCVSS 7.2fixed in 0.31.4.02026-04-08
CVE-2026-39389 [HIGH] CWE-285 CVE-2026-39389: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture w
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.
ghsanvdosv
CVE-2026-41890P3MEDIUMCVSS 6.9v>= 0.31.1.0, < 0.31.8.02026-05-07
CVE-2026-41890 [MEDIUM] CWE-20 CVE-2026-41890: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture w
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess() action accepts a POST parameter tables[] containing arbitrary table names. These are passed directly to $forge->dropTable() without validati
ghsanvd
CVE-2026-41891P4MEDIUMCVSS 5.3v>= 0.26.0, < 0.31.8.02026-05-07
CVE-2026-41891 [MEDIUM] CWE-613 CVE-2026-41891: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture w
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been patched in version 0.31.8.0.
ghsanvd
CVE-2026-25509P4MEDIUMCVSS 5.3fixed in 0.28.5.02026-02-03
CVE-2026-25509 [MEDIUM] CWE-204 CVE-2026-25509: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture w
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analy
ghsanvdosv
CVE-2026-39392P4MEDIUMCVSS 4.8fixed in 0.31.4.02026-04-08
CVE-2026-39392 [MEDIUM] CWE-79 CVE-2026-39392: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture w
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html_purify validation rule to content fields during create and update operations, while the Blog module does. Page content is stored unsanitized in the da
ghsanvdosv
CVE-2026-39390P4MEDIUMCVSS 4.8≤ 0.31.3.0fixed in 0.31.4.02026-04-08
CVE-2026-39390 [MEDIUM] CWE-79 CVE-2026-39390: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture w
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attrib
ghsanvdosv
CVE-2026-39391P4MEDIUMCVSS 4.8fixed in 0.31.4.02026-04-08
CVE-2026-39391 [MEDIUM] CWE-79 CVE-2026-39391: CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture w
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An a
ghsanvdosv
CVE-2026-45270HIGH≥ 0, < 0.31.9.02026-05-18
CVE-2026-45270 [HIGH] CWE-79 CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule
CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule
## Summary
The `Pages` backend module registers the `html_purify` validation rule on language-keyed page content but persists the raw, un-purified POST value into the database. The public renderer for pages (`Home::index()` → `app/Views/templates/default/pages.php`) emits `$pageInfo->content` without `esc(
ghsa
CVE-2026-45138MEDIUM≥ 0, < 0.31.9.02026-05-18
CVE-2026-45138 [MEDIUM] CWE-79 CI4MS: Stored XSS in Blog Content via Broken `html_purify` Validation Rule
CI4MS: Stored XSS in Blog Content via Broken `html_purify` Validation Rule
## Summary
The custom `html_purify` validation rule used to sanitize blog post bodies relies on by-reference mutation (`?string &$str`), but CodeIgniter 4's validator passes a local copy of the value, so the sanitized text is silently discarded. The Blog controller writes `$lanData['content']` directly into `blog_la
ghsa
CVE-2026-45139MEDIUM≥ 0, < 0.31.9.02026-05-18
CVE-2026-45139 [MEDIUM] CWE-73 CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations
CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations
## Summary
The Fileeditor module enforces an extension allowlist (`['css','js','html','txt','json','sql','md']`) on content-write operations (`saveFile`, `createFile`), but two destructive endpoint
ghsa
← Previous2 / 2