Executive Summary

CVE-2026-41587 is a vulnerability in the CI4MS CMS system that allows authenticated backend users with theme-upload permissions to execute remote code on the server.

This happens because the theme upload feature accepts ZIP files containing PHP files, which are extracted into a web-accessible directory without filtering or extension restrictions, allowing these PHP files to be executed directly via HTTP requests.

The vulnerability affects versions from 0.26.0.0 up to before 0.31.7.0 and has been patched in version 0.31.7.0.

Useful 0 Not Useful 0

Impact Analysis

Successful exploitation of this vulnerability can lead to full server compromise.

• Attackers can execute arbitrary PHP code remotely.
• This can result in data exfiltration, allowing attackers to steal sensitive information.
• Attackers may perform lateral movement within the network.
• Persistence on the compromised server can be established by attackers.

Overall, this vulnerability poses a high risk to the confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of unauthorized PHP files in the web-accessible public/ directory, especially those without extensions or those uploaded via the theme upload feature.

You can look for suspicious PHP files that may have been uploaded by authenticated backend users with theme-upload permissions.

• Use commands to find PHP files in the public directory, for example: find /path/to/ci4ms/public -type f -name '*.php'
• Check for files without extensions that contain PHP code: find /path/to/ci4ms/public -type f ! -name '*.*' -exec grep -Iq . {} \; -print
• Review web server access logs for HTTP requests to suspicious files in the public/ directory that could indicate exploitation attempts.

Detection also involves verifying if the system is running a vulnerable version (0.26.0.0 to before 0.31.7.0) of ci4ms and if any authenticated backend users have theme-upload permissions.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the ci4ms package to version 0.31.7.0 or later, where the vulnerability has been patched.

The patch includes enhanced path traversal checks, a whitelist of allowed file extensions for theme uploads, and prevention of PHP execution in the public/templates/ directory via a .htaccess file.

If immediate upgrade is not possible, restrict theme-upload permissions to only fully trusted users and monitor uploads closely.

Additionally, review and remove any suspicious PHP files in the public/ directory that may have been uploaded maliciously.

Implement web server rules or .htaccess configurations to block execution of PHP files in the public/ directory as a defense-in-depth measure.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated backend users with theme-upload permissions to achieve remote code execution (RCE), potentially leading to full server compromise including data exfiltration.

Such a compromise could result in unauthorized access to sensitive data, which may violate data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.

Therefore, if exploited, this vulnerability could negatively impact compliance with these standards by exposing confidential data and failing to maintain the integrity and availability of systems.

Useful 0 Not Useful 0