What is the CVSS score of CVE-2026-39393?

CVE-2026-39393 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Ci4ms are affected by CVE-2026-39393?

CI4MS CMS skeleton versions prior to 0.31.4.0 contain a critical authentication bypass that allows unauthenticated attackers to regain access to the installation wizard during database outages,…. A patch is available.

How to fix or mitigate CVE-2026-39393?

Within 24 hours: inventory all CI4MS CMS skeleton deployments and document current versions. Within 7 days: apply vendor patch to upgrade all instances to version 0.31.4.0 or later; prioritize systems exposed to untrusted networks. Within 30 days: conduct post-patch validation and implement monitoring for installation route access attempts.

Ci4ms CVE-2026-39393

EUVD-2026-20487 HIGH

Missing Authentication for Critical Function (CWE-306)

2026-04-08 GitHub_M

GHSA-8rh5-4mvx-xj7j

Authentication Bypass Ci4ms

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 00:13 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 16, 2026 - 00:07 vuln.today

cvss_changed

Patch released

Apr 09, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 08, 2026 - 15:16 euvd

EUVD-2026-20487

Analysis Generated

Apr 08, 2026 - 15:16 vuln.today

CVE Published

Apr 08, 2026 - 14:31 nvd

HIGH 8.1

DescriptionGitHub Advisory

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file existence to block post-installation access to the setup wizard. When the database is temporarily unreachable during a cache miss (TTL expiry or admin-triggered cache clear), the guard fails open, allowing an unauthenticated attacker to overwrite the .env file with attacker-controlled database credentials, achieving full application takeover. This vulnerability is fixed in 0.31.4.0.

AnalysisAI

CI4MS CMS skeleton versions below 0.31.4.0 permit complete application takeover through installation wizard re-access when the database becomes unreachable. Unauthenticated remote attackers exploit a race condition window during cache expiry or database downtime to bypass the install route guard and inject malicious database credentials into the .env configuration file. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Monitor install endpoint for 403→200 response change

Delivery

Database outage/cache expiry creates vulnerable state

Exploit

Submit malicious setup form with attacker DB credentials

Install

Application writes .env file with attacker values

Application reconnects using compromised credentials

Execute

Extract data or inject admin account

Impact

Execute arbitrary code via database-stored content

Recon

Monitor install endpoint for 403→200 response change

Delivery

Database outage/cache expiry creates vulnerable state

Exploit

Submit malicious setup form with attacker DB credentials

Install

Application writes .env file with attacker values

Application reconnects using compromised credentials

Execute

Extract data or inject admin account

Impact

Execute arbitrary code via database-stored content

Vulnerability AssessmentAI

Exploitation	Successful exploitation requires concurrent occurrence of two conditions: (1) cache('settings') object is absent due to TTL expiration or administrative cache clear operation, AND (2) database server is unreachable from the application server (network partition, database service down, connection pool exhaustion, firewall changes). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.1 (High) reflects the catastrophic impact of full application takeover (C:H/I:H/A:H) but accurately rates attack complexity as High (AC:H) since exploitation requires precise timing during concurrent cache expiry and database unavailability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Attacker continuously probes the CI4MS installation endpoint (/install or /setup) while monitoring for HTTP 200 responses instead of 403/404. During scheduled database maintenance, network partition, or resource exhaustion event that causes database unavailability, the application's cache simultaneously expires or an administrator clears cache. …
Remediation	Upgrade immediately to CI4MS version 0.31.4.0 or later, available from the official GitHub release at https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all CI4MS CMS skeleton deployments and document current versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39393 vulnerability details – vuln.today

Back

Ci4ms CVE-2026-39393

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code