CVE-2026-25510HIGH 8.8EPSS p52.0%

CVE-2026-25510CVE-2026-25510

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.80% probability of exploitation · percentile 52.0% · 2026-06-19T12:03:05Z
Published2026-02-03
Last modified2026-02-10

Underlying weaknesses· 2

CWE-94CWE-434

References

  1. https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653
  2. https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px

2

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34568
CVE
CVE-2026-34566
CVE
CVE-2026-34558
CVE
CVE-2026-34557
CVE
CVE-2026-35035
CVE
CVE-2026-34571
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.