Packagist (Composer) package

ci4-cms-erp/ci4ms

pkg:composer/ci4-cms-erp/ci4ms

Vulnerabilities (33)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-41891	Med	—	>= 0.26.0, < 0.31.8.0	0.31.8.0	May 7, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been p
CVE-2026-41890	Med	—	>= 0.31.1.0, < 0.31.8.0	0.31.8.0	May 7, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess() action accepts a POST parameter tables[] containing arbitrary table
CVE-2026-41587	Hig	—	>= 0.26.0.0, < 0.31.7.0	0.31.7.0	May 7, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version 0.31.7.0, a theme upload feature allows any authenticated backend user with theme-upload permissio
CVE-2026-41203	Cri	—	< 0.31.5.0	0.31.5.0	May 7, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticat
CVE-2026-41202	Cri	—	< 0.31.5.0	0.31.5.0	May 7, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authentic
CVE-2026-41201	Cri	9.1	< 0.31.5.0	0.31.5.0	May 7, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename fie
CVE-2026-39394	Hig	8.1	< 0.31.4.0	0.31.4.0	Apr 8, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation and passes it directly into update
CVE-2026-39393	Hig	8.1	< 0.31.4.0	0.31.4.0	Apr 8, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file ex
CVE-2026-39392	Med	5.5	< 0.31.4.0	0.31.4.0	Apr 8, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html_purify validation rule to content fields during create and update operations,
CVE-2026-39391	Med	4.8	< 0.31.4.0	0.31.4.0	Apr 8, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitizat
CVE-2026-39390	Med	5.5	< 0.31.4.0	0.31.4.0	Apr 8, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an allo
CVE-2026-39389	Med	6.7	< 0.31.4.0	0.31.4.0	Apr 8, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.
CVE-2026-35035	Hig	7.2	< 0.31.2.0	0.31.2.0	Apr 6, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several
CVE-2026-34989	Cri	9.0	< 31.0.0.0	31.0.0.0	Apr 6, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name
CVE-2026-34572	Hig	8.8	< 0.31.0.0	0.31.0.0	Apr 1, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic
CVE-2026-34571	Cri	9.9	< 0.31.0.0	0.31.0.0	Apr 1, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, a Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the backend user management functionality. T
CVE-2026-34570	Hig	8.8	< 0.31.0.0	0.31.0.0	Apr 1, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic fla
CVE-2026-34569	Cri	9.9	< 0.31.0.0	0.31.0.0	Apr 1, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog categories. An a
CVE-2026-34568	Cri	9.1	< 0.31.0.0	0.31.0.0	Apr 1, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts. An attack
CVE-2026-34567	Cri	9.1	< 0.31.0.0	0.31.0.0	Apr 1, 2026	CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts within the

CVE-2026-41891MedMay 7, 2026
affected >= 0.26.0, < 0.31.8.0fixed 0.31.8.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been p
CVE-2026-41890MedMay 7, 2026
affected >= 0.31.1.0, < 0.31.8.0fixed 0.31.8.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess() action accepts a POST parameter tables[] containing arbitrary table
CVE-2026-41587HigMay 7, 2026
affected >= 0.26.0.0, < 0.31.7.0fixed 0.31.7.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version 0.31.7.0, a theme upload feature allows any authenticated backend user with theme-upload permissio
CVE-2026-41203CriMay 7, 2026
affected < 0.31.5.0fixed 0.31.5.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticat
CVE-2026-41202CriMay 7, 2026
affected < 0.31.5.0fixed 0.31.5.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authentic
CVE-2026-41201CriMay 7, 2026
affected < 0.31.5.0fixed 0.31.5.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename fie
CVE-2026-39394HigApr 8, 2026
affected < 0.31.4.0fixed 0.31.4.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation and passes it directly into update
CVE-2026-39393HigApr 8, 2026
affected < 0.31.4.0fixed 0.31.4.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file ex
CVE-2026-39392MedApr 8, 2026
affected < 0.31.4.0fixed 0.31.4.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html_purify validation rule to content fields during create and update operations,
CVE-2026-39391MedApr 8, 2026
affected < 0.31.4.0fixed 0.31.4.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitizat
CVE-2026-39390MedApr 8, 2026
affected < 0.31.4.0fixed 0.31.4.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an allo
CVE-2026-39389MedApr 8, 2026
affected < 0.31.4.0fixed 0.31.4.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.
CVE-2026-35035HigApr 6, 2026
affected < 0.31.2.0fixed 0.31.2.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several
CVE-2026-34989CriApr 6, 2026
affected < 31.0.0.0fixed 31.0.0.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name
CVE-2026-34572HigApr 1, 2026
affected < 0.31.0.0fixed 0.31.0.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic
CVE-2026-34571CriApr 1, 2026
affected < 0.31.0.0fixed 0.31.0.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, a Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the backend user management functionality. T
CVE-2026-34570HigApr 1, 2026
affected < 0.31.0.0fixed 0.31.0.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic fla
CVE-2026-34569CriApr 1, 2026
affected < 0.31.0.0fixed 0.31.0.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog categories. An a
CVE-2026-34568CriApr 1, 2026
affected < 0.31.0.0fixed 0.31.0.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts. An attack
CVE-2026-34567CriApr 1, 2026
affected < 0.31.0.0fixed 0.31.0.0
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts within the

Page 1 of 2