CVE-2026-25510
Unknown Unknown - Not Provided
Remote Code Execution in CI4MS via File Editor Permissions

Publication date: 2026-02-03

Last updated on: 2026-02-10

Assigner: GitHub, Inc.

Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-10
Generated
2026-05-07
AI Q&A
2026-02-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25510
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ci4-cms-erp ci4ms to 0.28.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects CI4MS, a CodeIgniter 4-based CMS skeleton. Before version 0.28.5.0, an authenticated user with file editor permissions could exploit the file creation and save endpoints to upload and execute arbitrary PHP code on the server. This leads to Remote Code Execution (RCE), allowing the attacker to run malicious code remotely.


How can this vulnerability impact me? :

The vulnerability can have severe impacts including full compromise of the affected server. An attacker who successfully exploits this issue can execute arbitrary code remotely, potentially leading to data theft, data loss, service disruption, or further attacks within the network.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade CI4MS to version 0.28.5.0 or later, where the issue has been patched.

Additionally, restrict file editor permissions to trusted users only, as the vulnerability requires authenticated users with file editor permissions.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart