CVE-2026-41890

CVE-2026-41890 affects CI4MS prior to 0.31.8.0. The issue arises in the deleteProcess() action where the POST parameter tables[] is passed directly to $forge->dropTable() without validating that the tables belong to the theme being deleted. The deleteConfirm view uses the theme’s own migration...

CVE-2026-41890 CI4MS: Arbitrary Database Table Drop via Theme deleteProcess

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess action accepts a POST parameter tables containing arbitrary table names. These are pass...

EUVD-2026-28292

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess action accepts a POST parameter tables containing arbitrary table names. These are pass...

CVE-2026-41890 CI4MS: Arbitrary Database Table Drop via Theme deleteProcess

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess action accepts a POST parameter tables containing arbitrary table names. These are pass...

CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess

Summary The deleteProcess action accepts a POST parameter tables containing arbitrary table names. These are passed directly to $forge-dropTable without validating that the tables belong to the theme being deleted. The deleteConfirm view correctly populates tables from the theme's own migration...

GHSA-VGRF-PR28-VF98 CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess

Summary The deleteProcess action accepts a POST parameter tables containing arbitrary table names. These are passed directly to $forge-dropTable without validating that the tables belong to the theme being deleted. The deleteConfirm view correctly populates tables from the theme's own migration...

PT-2026-37160

Name of the Vulnerable Software and Affected Versions CI4MS versions 0.31.1.0 through 0.31.7.0 Description The deleteProcess function in the /backend/themes/delete-process/slug endpoint fails to validate the tables POST parameter. An authenticated administrator can send a crafted request containi...

VulnCheck KEV: CVE-2025-11372

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to modification of data in all versions up to, and including, 4.2.9.2. This is due to missing capability checks on the Admin Tools REST endpoints which are registered with permissioncallback set to returntrue. This makes it...

EUVD-2021-16251

Malware in sbrugna...

GHSA-7VW7-QX38-37VR Propel2 SQL injection possible with limit() on MySQL

The limit query method is susceptible to catastrophic SQL injection with MySQL. For example, given a model User for a table users: UserQuery::create-limit'1;DROP TABLE users'-find; This will drop the users table! The cause appears to be a lack of integer casting of the limit input in either...

CVE-2021-29777

IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server 9.7, 10.1, 10.5, 11.1, and 11.5, under specific circumstance of a table being dropped while being accessed in another session, could allow an authenticated user to cause a denial of srevice IBM X-Force ID: 203031...