CVE-2026-41891

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been patched in version...

CVE-2026-41890 CI4MS: Arbitrary Database Table Drop via Theme deleteProcess

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess action accepts a POST parameter tables containing arbitrary table names. These are pass...

CVE-2026-41201

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated vi...

CVE-2026-39389

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0...

CVE-2026-39391

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into a...

CVE-2026-39392 CI4MS has Stored XSS in Pages Content Due to Missing html_purify Sanitization

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the htmlpurify validation rule to content fields during create and update operations, while the Blog...

CVE-2026-39389

Summary: CVE-2026-39389 affects CI4MS (CodeIgniter 4 CMS skeleton) via a hidden-items authorization bypass in the Fileeditor module. Public docs show that hiddenItems (e.g., .env, composer.json, vendor/, etc.) are enforced only in listing; readFile() allows reading any file under ROOTPATH, and sa...

PT-2026-31316

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0...

PT-2026-31317

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting cMap field in compInfosPost sanitizes input using strip tags with an allowlist and regex-based removal of...

CVE-2026-34568

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts. An attacker can inject a...

CVE-2026-34564

CVE-2026-34564 affects CI4MS, a CodeIgniter 4-based CMS skeleton. Before 0.31.0.0, the Menu Management Pages feature fails to sanitize user-controlled input, storing data server-side and rendering it without proper output encoding. This leads to stored DOM-based XSS in both administrative interfa...

CVE-2026-34564

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Pages to navigation menus through the Menu Manageme...

CVE-2026-34558 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or...

PT-2026-6302

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.28.5.0 Description CI4MS is a CodeIgniter 4-based CMS skeleton that provides a production-ready, modular architecture with RBAC authorization and theme support. An authenticated user with file editor permissions can...

📄 CodeIgniter CMS 4.2.0 SQL Injection

Proof of concept exploit for the CodeIgniter CMS version 4.2.0 remote SQL injection vulnerability. ============================================================================================================================================= | Title : CodeIgniter CMS 4.2.0 SQL Injection Exploit | ...

EUVD-2020-8571

Malware in sbrugna...

CodeIgniter CMS 4.2.0 SQL Injection

+++++++++++++++++++++++++++++++++ + +Exploit Title : CodeIgniter CMS Version 4.2.0 Sql Injection Vulnerability + +Exploit Author : E1.Coders + +Vendor Homepage : https://www.codeigniter.com/ + +Google Dork ONE : searchResult/?title= + +Google Dork Two : Job/searchResult/?title= + +Date : 15 / 05 ...

CVE-2020-16610

Hoosk Codeigniter CMS before 1.7.2 is affected by a Cross Site Request Forgery CSRF. When an attacker induces authenticated admin user to a malicious web page, any accounts can be deleted without admin user's intention...

CVE-2020-16610

Hoosk Codeigniter CMS before 1.7.2 is affected by a Cross Site Request Forgery CSRF. When an attacker induces authenticated admin user to a malicious web page, any accounts can be deleted without admin user's intention...