Lucene search
K
Ci4-cms-erpCi4ms

27 matches found

CVE
CVE
added 2026/04/08 2:30 p.m.29 views

CVE-2026-39392

CI4MS is a CodeIgniter 4-based CMS skeleton. Prior to 0.31.4.0, the Pages module does not apply html_purify to content on create/update, so page content is stored unsanitized and rendered as raw HTML on the public frontend. An authenticated admin with page-editing privileges can inject arbitrary ...

5.5CVSS6AI score0.00247EPSS
CVE
CVE
added 2026/02/03 9:17 p.m.24 views

CVE-2026-25510

CVE-2026-25510 affects CI4MS, a CodeIgniter 4–based CMS skeleton. The vulnerability exists in the /backend/fileeditor/createFile and /backend/fileeditor/save endpoints, where an authenticated user with file editor permissions can upload and save files (including PHP) and execute arbitrary code on...

9.9CVSS6.1AI score0.00805EPSS
CVE
CVE
added 2026/04/06 4:49 p.m.23 views

CVE-2026-35035

Summary: CVE-2026-35035 affects CI4MS (CodeIgniter 4-based CMS skeleton). A stored XSS vulnerability exists in System Settings – Company Information where attacker-controlled fields (e.g., Company Name, Slogan, contact fields, Google Maps link, media fields) are input and persisted server-side, t...

9CVSS6AI score0.00455EPSS
CVE
CVE
added 2026/02/03 9:16 p.m.21 views

CVE-2026-25509

CI4MS is a CodeIgniter 4–based CMS skeleton. A vulnerability in the authentication flow allows unauthenticated attackers to enumerate registered emails via password-reset responses, by differentiating between existing vs non-existing emails. The issue is documented across multiple feeds (NVD, Red...

5.3CVSS5.5AI score0.00349EPSS
CVE
CVE
added 2026/04/01 9:28 p.m.21 views

CVE-2026-34567

CI4MS (CodeIgniter 4-based CMS skeleton) prior to 0.31.0.0 is vulnerable to stored XSS in the Categories section of blog posts due to insufficient input sanitization. An attacker can inject JavaScript into Categories content, which is stored server-side and rendered unsafely when viewing blog pos...

9.1CVSS5.7AI score0.00269EPSS
CVE
CVE
added 2026/04/06 4:25 p.m.21 views

CVE-2026-34989

CVE-2026-34989 affects the CI4MS CMS skeleton (CodeIgniter 4-based). The issue is stored XSS triggered by unsanitized input in the profile name field (full name/username). The payload is stored server-side and later rendered without proper encoding across multiple views, enabling persistent XSS. ...

9.4CVSS5.8AI score0.00297EPSS
CVE
CVE
added 2026/04/01 9:29 p.m.20 views

CVE-2026-34569

CI4MS is a CodeIgniter 4–based CMS skeleton. Prior to version 0.31.0.0, it fails to sanitize input when creating/editing blog categories, allowing stored XSS via the category title that is rendered unsafely across public blog/category pages and admin views. The issue is fixed in 0.31.0.0. The CVS...

9.9CVSS5.7AI score0.00324EPSS
CVE
CVE
added 2026/04/01 9:35 p.m.20 views

CVE-2026-34572

CI4MS is a CodeIgniter 4-based CMS skeleton. Before version 0.31.0.0, deactivated accounts do not have their active sessions revoked promptly; authentication-only enforcement allows already-authenticated users to retain access. The root cause is a backend logic flaw where account state changes ar...

8.8CVSS5.8AI score0.00502EPSS
CVE
CVE
added 2026/03/30 8:24 p.m.16 views

CVE-2026-34557

CI4MS is a CodeIgniter 4–based CMS skeleton. Prior to version 0.31.0.0, it fails to sanitize user input in group/role management, allowing three group-related fields to carry malicious JavaScript that is stored server-side and later rendered in privileged admin views without proper encoding, caus...

9.1CVSS5.7AI score0.00307EPSS
CVE
CVE
added 2026/04/08 2:29 p.m.16 views

CVE-2026-39390

CVE-2026-39390 affects CI4MS (CodeIgniter 4-based CMS skeleton). Before version 0.31.4.0, the Google Maps iframe setting (cMap) in compInfosPost() sanitizes input with strip_tags() for an allowlist and regex stripping of on\w+ handlers, but the srcdoc attribute is not filtered, allowing an attac...

5.5CVSS5.9AI score0.00235EPSS
CVE
CVE
added 2026/04/01 9:21 p.m.15 views

CVE-2026-34560

CVE-2026-34560 affects CI4MS, a CodeIgniter 4–based CMS skeleton. Before version 0.31.0.0, the logs interface renders user-controlled input unsafely, storing a payload that may execute later as a blind XSS when an administrator views the logs. This can enable full account takeover for all roles a...

9.1CVSS5.8AI score0.0038EPSS
CVE
CVE
added 2026/04/01 9:23 p.m.15 views

CVE-2026-34562

CI4MS (CodeIgniter 4-based CMS skeleton) prior to 0.31.0.0 suffers a stored DOM XSS vulnerability in System Settings – Company Information. Attacker-controlled inputs in fields such as Company Name, Slogan, contact details, and Google Maps/ media links are stored server-side and rendered without ...

9CVSS5.8AI score0.00274EPSS
CVE
CVE
added 2026/04/08 2:28 p.m.15 views

CVE-2026-39389

Summary: CVE-2026-39389 affects CI4MS (CodeIgniter 4 CMS skeleton) via a hidden-items authorization bypass in the Fileeditor module. Public docs show that hiddenItems (e.g., .env, composer.json, vendor/, etc.) are enforced only in listing; readFile() allows reading any file under ROOTPATH, and sa...

7.2CVSS5.9AI score0.00471EPSS
CVE
CVE
added 2026/04/01 9:26 p.m.14 views

CVE-2026-34565

CI4MS (CodeIgniter 4-based CMS skeleton) is affected prior to version 0.31.0.0 by a stored DOM-based XSS in Menu Management when adding Posts to navigation menus; post data is stored server-side and rendered without proper output encoding in both admin dashboards and public menus, leading to stor...

9.1CVSS5.7AI score0.00269EPSS
CVE
CVE
added 2026/04/08 2:31 p.m.14 views

CVE-2026-39393

CVE-2026-39393 affects the ci4ms CodeIgniter 4-based CMS skeleton. Before 0.31.4.0, the install route guard uses a volatile cache check (cache('settings')) and .env existence to block setup access; if the database is temporarily unreachable during a cache miss, the guard can fail open, allowing a...

8.1CVSS5.9AI score0.00421EPSS
CVE
CVE
added 2026/03/30 8:24 p.m.13 views

CVE-2026-27599

CI4MS (CodeIgniter 4-based CMS skeleton) is affected by a stored DOM XSS in System Settings – Mail Settings. Prior to version 0.31.0.0, fields such as Mail Server, Mail Port, Email Address, Email Password, Mail Protocol and TLS settings accept attacker-controlled input that is stored server-side ...

7.2CVSS5.8AI score0.00358EPSS
CVE
CVE
added 2026/04/01 9:20 p.m.13 views

CVE-2026-34559

CI4MS (CodeIgniter 4-based CMS skeleton) is affected prior to version 0.31.0.0. A stored cross-site scripting (XSS) flaw arises from improper sanitization when creating or editing blog tags, allowing an attacker to inject a malicious JavaScript payload in the tag name that is stored server-side a...

9.1CVSS5.7AI score0.00324EPSS
CVE
CVE
added 2026/04/01 9:23 p.m.13 views

CVE-2026-34561

Summary of CVE-2026-34561 : CI4MS (CodeIgniter 4-based CMS skeleton) before version 0.31.0.0 is vulnerable to a stored DOM XSS in System Settings → Social Media Management. Attacker-controlled input entered in fields such as Social Media and Social Media Link is stored server-side and rendered wi...

8.4CVSS5.8AI score0.00229EPSS
CVE
CVE
added 2026/04/01 9:30 p.m.13 views

CVE-2026-34570

CI4MS is a CodeIgniter 4-based CMS skeleton. Before version 0.31.0.0, it does not immediately revoke active sessions when an account is deleted due to a backend logic flaw that enforces account state changes only at login, leaving existing sessions valid indefinitely. This allows deleted accounts...

8.8CVSS5.8AI score0.00502EPSS
CVE
CVE
added 2026/04/08 2:32 p.m.13 views

CVE-2026-39394

CI4MS vulnerable to CRLF injection in .env via unvalidated host parameter in Install::index(). Before 0.31.4.0, host is read without validation and appended to .env through updateEnvSettings() using preg_replace(), allowing newline characters to inject arbitrary key=value lines (e.g., app.baseURL...

9.8CVSS6.1AI score0.00516EPSS
CVE
CVE
added 2026/03/30 8:24 p.m.12 views

CVE-2026-34558

CI4MS is a CodeIgniter 4-based CMS skeleton. Affected versions prior to 0.31.0.0 expose stored DOM-based XSS via the Methods Management functionality where attacker-controlled input is stored server-side and later rendered in admin interfaces and global navigation without proper encoding. The roo...

9.1CVSS5.8AI score0.00307EPSS
CVE
CVE
added 2026/04/01 9:25 p.m.12 views

CVE-2026-34563

CVE-2026-34563 (CI4MS) is a vulnerability in the CodeIgniter 4–based CMS skeleton where, before version 0.31.0.0, user input is not properly sanitized during backup uploads and backup metadata processing. An attacker can inject a malicious JavaScript payload into the backup filename via an xss.sq...

9.1CVSS5.8AI score0.00269EPSS
CVE
CVE
added 2026/04/01 9:25 p.m.12 views

CVE-2026-34564

CVE-2026-34564 affects CI4MS, a CodeIgniter 4-based CMS skeleton. Before 0.31.0.0, the Menu Management Pages feature fails to sanitize user-controlled input, storing data server-side and rendering it without proper output encoding. This leads to stored DOM-based XSS in both administrative interfa...

9.1CVSS5.7AI score0.00307EPSS
CVE
CVE
added 2026/04/08 2:30 p.m.12 views

CVE-2026-39391

CVE-2026-39391 affects CI4MS, a CodeIgniter 4-based CMS skeleton. Before 0.31.4.0, the blacklist (ban) note parameter stored in the database was rendered into an HTML data-note attribute without escaping, enabling a stored XSS when an admin with blacklist privileges views the user management page...

4.8CVSS6AI score0.0023EPSS
CVE
CVE
added 2026/04/01 9:28 p.m.11 views

CVE-2026-34568

CVE-2026-34568 affects CI4MS, a CodeIgniter 4–based CMS skeleton. The root cause is improper sanitization of user-controlled input when creating or editing blog posts, allowing a stored JavaScript payload in blog content. The payload is stored server-side and later rendered in multiple views with...

9.1CVSS5.7AI score0.00317EPSS
CVE
CVE
added 2026/04/01 9:27 p.m.10 views

CVE-2026-34566

CVE-2026-34566 affects CI4MS, a CodeIgniter 4-based CMS skeleton. Prior to version 0.31.0.0, user-controlled input in Page Management is not properly sanitized, allowing attacker-controlled JavaScript to be stored server-side and later rendered without output encoding in admin page lists and publ...

9.1CVSS5.7AI score0.00269EPSS
CVE
CVE
added 2026/04/01 9:32 p.m.10 views

CVE-2026-34571

CI4MS is a CodeIgniter 4-based CMS skeleton. Before version 0.31.0.0, a Stored XSS vulnerability exists in the backend user management functionality due to inadequate input sanitization when rendering in the admin interface. This enables persistent JavaScript execution, leading to potential sessi...

9.9CVSS6AI score0.00393EPSS