top of page
perceptive_background_267k.jpg

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0…

Published:

2 February 2026 at 23:00:00

Alert date:

3 February 2026 at 23:08:48

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

CVE-2026-25510 affects CI4MS, a CodeIgniter 4-based CMS skeleton with RBAC authorization and theme support. Prior to version 0.28.5.0, authenticated users with file editor permissions could achieve Remote Code Execution (RCE) by exploiting file creation and save endpoints to upload and execute arbitrary PHP code on the server. The vulnerability allows attackers to leverage legitimate file management functionality to bypass security controls and execute malicious code. This represents a critical security flaw that could lead to complete server compromise. The issue has been patched in version 0.28.5.0.

Technical details

Mitigation steps:

Affected products:

CI4MS
CodeIgniter 4

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-25510
https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653
https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page