CVE-2026-25510
Unknown Unknown - Not Provided
Remote Code Execution in CI4MS via File Editor Permissions

Publication date: 2026-02-03

Last updated on: 2026-02-10

Assigner: GitHub, Inc.

Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25510
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ci4-cms-erp ci4ms to 0.28.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects CI4MS, a CodeIgniter 4-based CMS skeleton. Before version 0.28.5.0, an authenticated user with file editor permissions could exploit the file creation and save endpoints to upload and execute arbitrary PHP code on the server. This leads to Remote Code Execution (RCE), allowing the attacker to run malicious code remotely.

Impact Analysis

The vulnerability can have severe impacts including full compromise of the affected server. An attacker who successfully exploits this issue can execute arbitrary code remotely, potentially leading to data theft, data loss, service disruption, or further attacks within the network.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade CI4MS to version 0.28.5.0 or later, where the issue has been patched.

Additionally, restrict file editor permissions to trusted users only, as the vulnerability requires authenticated users with file editor permissions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25510. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart