6 matches found
tplink-priv-zero
TP-Link TL-WR841N v14 — Authenticated OS Command Injection RC...
CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller
Summary The Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which writes it into the .env file via pregreplace. Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration...
GHSA-VFHX-5459-QHQH CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller
Summary The Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which writes it into the .env file via pregreplace. Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration...
CVE-2026-39394
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which...
CVE-2026-39394
CI4MS vulnerable to CRLF injection in .env via unvalidated host parameter in Install::index(). Before 0.31.4.0, host is read without validation and appended to .env through updateEnvSettings() using preg_replace(), allowing newline characters to inject arbitrary key=value lines (e.g., app.baseURL...
PT-2026-31321
Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.4.0 Description CI4MS, a CodeIgniter 4-based CMS, is susceptible to arbitrary configuration injection via the .env file. The Install::index controller does not validate the host POST parameter before passing it to...