Arbitrary file upload in Ci4-cms-erp Ci4ms

CVE-2026-41587

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version 0.31.7.0, a theme upload feature allows any authenticated…

Vulnerability class: Unrestricted File Upload

EPSS: 0.001 (29.3th percentile) — read the EPSS interpretation.

Affected products

Ci4-cms-erp Ci4ms — versions >= 0.26.0.0, < 0.31.7.0

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

References

https://github.com/ci4-cms-erp/ci4ms/commit/b969465e71eacd9eb57014ad1fce1fc34fa7bca0 (x_refsource_MISC)
https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fw49-9xq4-gmx6 (x_refsource_CONFIRM)