Critical severityGHSA Advisory· Published May 7, 2026· Updated May 7, 2026

CVE-2026-41202

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ci4-cms-erp/ci4msPackagist	< 0.31.5.0	0.31.5.0

Affected products

Ci4 Cms Erp/Ci4msGHSA
Range: < 0.31.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-xp9f-pvvc-57p4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41202ghsaADVISORY
github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0nvdWEB
github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xp9f-pvvc-57p4nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000