CVE-2026-41890 CI4MS: Arbitrary Database Table Drop via Theme deleteProcess

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess action accepts a POST parameter tables containing arbitrary table names. These are pass...

CVE-2026-41890

CVE-2026-41890 affects CI4MS prior to 0.31.8.0. The issue arises in the deleteProcess() action where the POST parameter tables[] is passed directly to $forge->dropTable() without validating that the tables belong to the theme being deleted. The deleteConfirm view uses the theme’s own migration...