CVE-2026-41202 ci4ms Backup::restore is vulnerable to Zip Slip leading to RCE

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user...

EUVD-2026-28253

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated vi...

CVE-2026-39393

CVE-2026-39393 affects the ci4ms CodeIgniter 4-based CMS skeleton. Before 0.31.4.0, the install route guard uses a volatile cache check (cache('settings')) and .env existence to block setup access; if the database is temporarily unreachable during a cache miss, the guard can fail open, allowing a...

CVE-2026-39393

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check cache'settings' combined with .env file existence to block...

CVE-2026-39391 CI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into a...

CVE-2026-32712

Open Source Point of Sale (OSPOS) has a Stored XSS vulnerability in the Daily Sales page prior to version 3.4.3. The issue arises from the customer_name field being configured with escape: false in the bootstrap-table setup, causing customer names to render as raw HTML. With customer management p...

FUEL CMS 安全漏洞

FUEL CMS is a content management system CMS developed by David McReynolds using the Codelgniter framework. Version 1.2 of FUEL CMS has a security vulnerability, which stems from an issue in the Blocks module where authenticated remote code execution is possible...

CVE-2026-34571

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, a Stored Cross-Site Scripting Stored XSS vulnerability exists in the backend user management functionality. The application fail...

EUVD-2026-18088

CI4MS: Stored Cross‑Site Scripting Stored XSS in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise...

EUVD-2026-18080

CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS...

EUVD-2026-18074

CI4MS: System Settings Company Information Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS...

PT-2026-29632

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Description The application does not properly sanitize user-controlled input when creating or editing blog posts. An attacker can inject a malicious JavaScript payload into blog post content, which is then stor...

PT-2026-29625

Name of the Vulnerable Software and Affected Versions: CI4MS versions prior to 0.31.0.0 Description: CI4MS is a CodeIgniter 4-based CMS skeleton. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface, leading to a stored DOM Blind XSS scenario...

PT-2026-29128

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Description CI4MS is a CodeIgniter 4-based CMS skeleton providing a modular architecture with RBAC authorization and theme support. The application does not properly sanitize user-controlled input within the...

FUEL CMS 安全漏洞

FUEL CMS is a content management system CMS developed by David McReynolds using the Codelgniter framework. Version 1.5.2 of FUEL CMS contains a security vulnerability, which stems from the /controllers/Login.php component being vulnerable to SQL injection attacks...

FUEL CMS 安全漏洞

FUEL CMS is a content management system CMS developed by David McReynolds using the Codelgniter framework. Version 1.5.2 of FUEL CMS contains a security vulnerability, which stems from issues with the /parser/dwoo component. Attackers can execute arbitrary code through specially crafted PHP code...

CVE-2026-32888

CVE-2026-32888 affects Open Source Point of Sale (PHP, CodeIgniter). A SQL Injection exists in the Items search functionality when the custom attribute search feature (search_custom) is enabled: user input from the search GET parameter is interpolated directly into a HAVING clause without paramet...

PT-2026-26544

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled search custom filter, user-supplied input from the search GET...

CVE-2026-25510

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution RCE by leveraging the file creation and sav...

CVE-2026-25510 CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution RCE by leveraging the file creation and sav...