CVE-2026-41587
BaseFortify
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ci4-cms-erp | ci4ms | From 0.26.0.0 (inc) to 0.31.7.0 (exc) |
| ci4-cms-erp | ci4ms | to 0.31.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41587 is a vulnerability in the CI4MS CMS system that allows authenticated backend users with theme-upload permissions to execute remote code on the server.
This happens because the theme upload feature accepts ZIP files containing PHP files, which are extracted into a web-accessible directory without filtering or extension restrictions, allowing these PHP files to be executed directly via HTTP requests.
The vulnerability affects versions from 0.26.0.0 up to before 0.31.7.0 and has been patched in version 0.31.7.0.
How can this vulnerability impact me? :
Successful exploitation of this vulnerability can lead to full server compromise.
- Attackers can execute arbitrary PHP code remotely.
- This can result in data exfiltration, allowing attackers to steal sensitive information.
- Attackers may perform lateral movement within the network.
- Persistence on the compromised server can be established by attackers.
Overall, this vulnerability poses a high risk to the confidentiality, integrity, and availability of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of unauthorized PHP files in the web-accessible public/ directory, especially those without extensions or those uploaded via the theme upload feature.
You can look for suspicious PHP files that may have been uploaded by authenticated backend users with theme-upload permissions.
- Use commands to find PHP files in the public directory, for example: find /path/to/ci4ms/public -type f -name '*.php'
- Check for files without extensions that contain PHP code: find /path/to/ci4ms/public -type f ! -name '*.*' -exec grep -Iq . {} \; -print
- Review web server access logs for HTTP requests to suspicious files in the public/ directory that could indicate exploitation attempts.
Detection also involves verifying if the system is running a vulnerable version (0.26.0.0 to before 0.31.7.0) of ci4ms and if any authenticated backend users have theme-upload permissions.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the ci4ms package to version 0.31.7.0 or later, where the vulnerability has been patched.
The patch includes enhanced path traversal checks, a whitelist of allowed file extensions for theme uploads, and prevention of PHP execution in the public/templates/ directory via a .htaccess file.
If immediate upgrade is not possible, restrict theme-upload permissions to only fully trusted users and monitor uploads closely.
Additionally, review and remove any suspicious PHP files in the public/ directory that may have been uploaded maliciously.
Implement web server rules or .htaccess configurations to block execution of PHP files in the public/ directory as a defense-in-depth measure.