114 matches found
GHSA-245J-XJVR-XVM5 CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations
Summary The Fileeditor module enforces an extension allowlist 'css','js','html','txt','json','sql','md' on content-write operations saveFile, createFile, but two destructive endpoints — deleteFileOrFolder and renameFile — never validate the extension of the source path. A backend user with...
PT-2026-41769
Summary The Fileeditor module enforces an extension allowlist 'css','js','html','txt','json','sql','md' on content-write operations saveFile, createFile, but two destructive endpoints — deleteFileOrFolder and renameFile — never validate the extension of the source path. A backend user with...
Arbitrary Argument Injection
Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Arbitrary Argument Injection via the openFileWithEditor process. An attacker can execute arbitrary commands on the user's system by crafting a malicious filename...
CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files
Summary The Fileeditor controller defines a hiddenItems array containing security-sensitive paths .env, composer.json, vendor/, .git/ but only enforces this protection in the listFiles method. The readFile, saveFile, deleteFileOrFolder, renameFile, createFile, and createFolder endpoints perform n...
[SECURITY] Fedora 42 Update: sad-0.4.32-4.fc42
Space Age seD - Batch File Edit tool. It will show you a really nice diff of proposed changes before you commit them...
[SECURITY] Fedora 43 Update: sad-0.4.32-4.fc43
Space Age seD - Batch File Edit tool. It will show you a really nice diff of proposed changes before you commit them...
CVE-2026-25510
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution RCE by leveraging the file creation and sav...
Arbitrary File Upload
Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Arbitrary File Upload via the /backend/fileeditor/createFile and /backend/fileeditor/save API endpoints. An attacker can execute arbitrary code on the server by uploading...
EUVD-2026-5162
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution RCE by leveraging the file creation and sav...
CVE-2026-25510 CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution RCE by leveraging the file creation and sav...
CVE-2026-25510
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution RCE by leveraging the file creation and sav...
CVE-2026-25510 CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution RCE by leveraging the file creation and sav...
CVE-2026-25510 CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution RCE by leveraging the file creation and sav...
CVE-2026-25510
CVE-2026-25510 affects CI4MS, a CodeIgniter 4–based CMS skeleton. The vulnerability exists in the /backend/fileeditor/createFile and /backend/fileeditor/save endpoints, where an authenticated user with file editor permissions can upload and save files (including PHP) and execute arbitrary code on...
CI4MS 代码问题漏洞
CI4MS is an open-source blog page management tool developed by Ci4MS. Versions of CI4MS prior to 0.28.5.0 contained code vulnerabilities. These vulnerabilities allowed verified users with file editor privileges to upload and execute arbitrary PHP code through file creation and saving endpoints,...
GHSA-GP56-F67F-M4PX CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor
Summary A critical vulnerability has been identified in CI4MS that allows an authenticated user with file editor permissions to achieve Remote Code Execution RCE. By leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. Vulnerability...
CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor
Summary A critical vulnerability has been identified in CI4MS that allows an authenticated user with file editor permissions to achieve Remote Code Execution RCE. By leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. Vulnerability...
PT-2026-6425
Summary A critical vulnerability has been identified in CI4MS that allows an authenticated user with file editor permissions to achieve Remote Code Execution RCE. By leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. Vulnerability...
PT-2026-6302
Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.28.5.0 Description CI4MS is a CodeIgniter 4-based CMS skeleton that provides a production-ready, modular architecture with RBAC authorization and theme support. An authenticated user with file editor permissions can...
CVE-2023-40612
In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2, the file editor which is accessible to any user with ROLEFILESYSTEMEDITOR privileges is vulnerable to XXE injection attacks. The solution is to upgrade to Meridian 2023.1.5 or Horizon 32.0.2 or newer. Meridian and Horizon installation...