Critical severityGHSA Advisory· Published May 7, 2026· Updated May 7, 2026

CVE-2026-41203

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ci4-cms-erp/ci4msPackagist	< 0.31.5.0	0.31.5.0

Affected products

Ci4 Cms Erp/Ci4msGHSA
Range: < 0.31.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-xv3r-vr59-95rgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41203ghsaADVISORY
github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0nvdWEB
github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xv3r-vr59-95rgnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000