What is the CVSS score of EUVD-2026-20489?

EUVD-2026-20489 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Ci4ms are affected by EUVD-2026-20489?

CI4MS versions before 0.31.4.0 contain an environment file injection vulnerability in the installation controller that allows unauthenticated remote attackers to inject malicious configuration…. A patch is available.

How to fix or mitigate EUVD-2026-20489?

Within 24 hours: Identify all CI4MS instances and document current versions via application interfaces or package managers. Within 7 days: Upgrade all CI4MS installations to version 0.31.4.0 or later; verify patch application in non-production environments first. Within 30 days: Audit installation logs for any suspicious configuration changes dating back to deployment; validate application configuration files for unauthorized directives.

Ci4ms EUVD-2026-20489

| CVE-2026-39394 HIGH

Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)

2026-04-08 GitHub_M

GHSA-vfhx-5459-qhqh

CSRF Ci4ms

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 00:12 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 16, 2026 - 00:07 vuln.today

cvss_changed

Patch released

Apr 09, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 08, 2026 - 15:16 euvd

EUVD-2026-20489

Analysis Generated

Apr 08, 2026 - 15:16 vuln.today

CVE Published

Apr 08, 2026 - 14:32 nvd

HIGH 8.1

DescriptionGitHub Advisory

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings(), which writes it into the .env file via preg_replace(). Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration directives into the .env file. The install routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when cache('settings') is empty (cache expiry or fresh deployment). This vulnerability is fixed in 0.31.4.0.

AnalysisAI

Environment file injection in CI4MS versions prior to 0.31.4.0 allows remote attackers to inject arbitrary configuration directives by exploiting unvalidated newline characters in the host parameter during installation. The Install::index() controller's CSRF protection is intentionally disabled, and InstallFilter bypass is possible when settings cache expires or on fresh deployments. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify CI4MS installation endpoint

Delivery

Monitor for empty settings cache condition

Exploit

Craft POST request with newline-injected host parameter

Execution

Bypass InstallFilter validation

Persist

Inject malicious directives into .env file

Impact

Leverage compromised configuration for database access

Access

Identify CI4MS installation endpoint

Delivery

Monitor for empty settings cache condition

Exploit

Craft POST request with newline-injected host parameter

Execution

Bypass InstallFilter validation

Persist

Inject malicious directives into .env file

Impact

Leverage compromised configuration for database access

Vulnerability AssessmentAI

Exploitation	Exploitation requires the InstallFilter to be bypassable, which occurs specifically when cache('settings') returns empty. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk assessment reveals conflicting signals requiring careful interpretation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker discovers a CI4MS deployment during its initial installation phase or identifies a production instance where the settings cache has expired. They send a crafted HTTP POST request to the /install endpoint with a host parameter containing embedded newline characters followed by malicious configuration directives, such as host=legitimate.com\ndatabase.default.password=AttackerPass\nencryption.key=AttackerKey. …
Remediation	Upgrade to CI4MS version 0.31.4.0 or later immediately, as confirmed by the vendor release at https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all CI4MS instances and document current versions via application interfaces or package managers. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-20489 vulnerability details – vuln.today

Back

Ci4ms EUVD-2026-20489

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code