CVE-2026-41890
BaseFortify
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ci4-cms-erp | ci4ms | From 0.31.1.0 (inc) to 0.31.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in CI4MS affects the deleteProcess() action in versions from 0.31.1.0 to before 0.31.8.0. This function accepts a POST parameter tables[] containing table names to be deleted. However, it does not validate whether these tables belong to the theme being deleted, allowing an authenticated admin to specify arbitrary table names.
Because the tables[] parameter is passed directly to the database forge's dropTable() method without validation, an attacker with theme deletion permissions can craft a request to drop any table in the database, including critical ones.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized deletion of any database table by an authenticated admin with theme deletion permissions. This includes critical tables such as user and authentication tables.
The impact primarily affects system availability, as dropping essential tables can disable authentication and potentially cause data loss or service disruption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an authenticated admin sending a crafted POST request to the deleteProcess() action with arbitrary table names in the tables[] parameter to drop any database table.
To detect exploitation attempts on your system or network, monitor HTTP POST requests to the theme deletion endpoint for unusual or unexpected tables[] parameters containing table names outside the expected theme migration files.
You can use web server logs or network monitoring tools to filter POST requests targeting the deleteProcess() action.
- Use grep or similar tools on web server logs to find POST requests with tables[] parameters: grep -i 'POST.*deleteProcess' /var/log/apache2/access.log | grep 'tables[]='
- Use a packet capture tool like tcpdump or Wireshark to filter HTTP POST requests to the relevant URL and inspect the POST data for suspicious tables[] values.
- If you have access to the database, check for unexpected dropped tables or missing critical tables such as ci4ms_users or ci4ms_auth_identities.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade the ci4ms system to version 0.31.8.0 or later, where this vulnerability has been patched.
Version 0.31.8.0 introduces a migration-based whitelist that restricts table deletion to only those tables belonging to the specific theme, preventing arbitrary table drops.
Until you can upgrade, restrict or monitor admin users with theme.delete permissions to prevent misuse.
Additionally, review and tighten access controls and audit logs for theme deletion actions.