Skip to main content

CI4MS CVE-2026-41890

| EUVDEUVD-2026-28292 MEDIUM
Improper Input Validation (CWE-20)
2026-05-04 https://github.com/ci4-cms-erp/ci4ms GHSA-vgrf-pr28-vf98
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 07, 2026 - 04:35 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
May 04, 2026 - 21:30 vuln.today
Analysis Generated
May 04, 2026 - 21:30 vuln.today

DescriptionGitHub Advisory

Summary

The deleteProcess() action accepts a POST parameter tables[] containing arbitrary table names. These are passed directly to $forge->dropTable() without validating that the tables belong to the theme being deleted.

The deleteConfirm view correctly populates tables[] from the theme's own migration files, but the server-side deleteProcess does not verify the received values against those files. An authenticated admin can craft a POST request with arbitrary table names and drop any table in the database.

This is a real bug even within the admin trust model: the action should be scoped to the theme's own tables. The permission grants delete this theme's data", not "drop any table".

Details

Location

modules/Theme/Controllers/Theme.php :: deleteProcess() ~line 147

Vulnerable Code

php
public function deleteProcess(string $slug)
{
    $themeName = $slug;
    $activeTheme = setting('App.siteTheme');
    if ($activeTheme === $themeName) {
        return redirect()->route('templateSettings')...;
    }

    $tablesToDrop = $this->request->getPost('tables');  // ← user-supplied, unvalidated
    if (!empty($tablesToDrop) && is_array($tablesToDrop)) {
        $forge = \Config\Database::forge();
        $db    = \Config\Database::connect();
        foreach ($tablesToDrop as $table) {
            if ($db->tableExists($table)) {
                $forge->dropTable($table, true);  // ← no whitelist check
            }
        }
    }

PoC

  1. Authenticate to the backend (any user with theme.delete permission)
  2. POST to /backend/themes/delete-process/<any_non_active_theme_slug>
  3. Include tables[]=<any_table> in POST body
  4. The named tables are dropped without validation

Impact

  • Dropped ci4ms_blog (confirmed in test)
  • Dropped ci4ms_users + ci4ms_auth_identities simultaneously - disables all authentication (confirmed)
  • Any table in the database can be targeted

Additional note

Quick note on the design intent for deleteProcess - I noticed delete_confirm.php scopes the checkboxes to the theme's own migration files, and the CHANGELOG confirms the selective deletion was intentional (admins can choose which tables to keep). The server-side deleteProcess already has all the information it needs to validate the input - deleteConfirm derives the valid table set from the migration files, deleteProcess just needs to do the same before acting on the POST. Happy to clarify if useful.

AnalysisAI

Arbitrary database table drop in CI4MS theme deletion allows authenticated administrators with theme.delete permission to craft malicious POST requests to the /backend/themes/delete-process/ endpoint and drop any table in the database, including critical tables such as ci4ms_users and ci4ms_auth_identities. The vulnerability exists because the deleteProcess() action accepts user-supplied table names without validating them against the theme's own migration files, violating the principle of least privilege even within the admin trust model. Vendor-released patch 0.31.8.0 implements migration-based whitelist validation to restrict deletions to declared theme tables.

Technical ContextAI

CI4MS is a CodeIgniter 4-based CMS/ERP system that manages themes through a dedicated Theme module. The vulnerable code exists in modules/Theme/Controllers/Theme.php at the deleteProcess() method (~line 147), which interacts with CodeIgniter 4's database forge API. The deleteProcess() action receives a POST parameter 'tables[]' containing table names intended for deletion during theme removal. While the corresponding deleteConfirm view correctly derives valid tables from the theme's migration files, the server-side deleteProcess() does not perform the same validation before passing table names to $forge->dropTable(). This is a classic input validation failure (CWE-20: Improper Input Validation) where user-supplied values are used directly in destructive database operations. The vulnerability affects the Composer package ci4-cms-erp/ci4ms (CPE: pkg:composer/ci4-cms-erp_ci4ms) across versions 0.31.1.0 through 0.31.7.0.

RemediationAI

Vendor-released patch: upgrade to CI4MS version 0.31.8.0 or later. The patch implements migration-based whitelist validation in the Theme::deleteProcess() method, ensuring that only tables declared within the specific theme's migration files can be dropped. Apply the patch immediately via Composer: composer require ci4-cms-erp/ci4ms:0.31.8.0 or update existing installations with composer update ci4-cms-erp/ci4ms. Until patched, restrict access to the theme management backend to only the most trusted administrators and monitor database access logs for unexpected DROP TABLE statements. No compensating controls can reliably prevent exploitation without code modification because the vulnerability requires server-side validation logic that the vulnerable version lacks. The CHANGELOG confirms this fix was intentional by design: the deleteConfirm view scopes checkboxes to the theme's own migration files, and the patch enforces the same scoping on the server side.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-41890 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy