VYPR

Vendor CVEs

Ci4 CMS ERP

All CVEs

36 total · sorted by risk
  • CVE-2026-34571CriApr 1, 2026
    risk 0.64cvss 9.9epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, a Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the backend user management functionality.…

  • CVE-2026-34569CriApr 1, 2026
    risk 0.64cvss 9.9epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog categories. An…

  • CVE-2026-41203CriMay 7, 2026
    risk 0.61cvss epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an…

  • CVE-2026-41202CriMay 7, 2026
    risk 0.61cvss epss 0.01

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an…

  • CVE-2026-41201CriMay 7, 2026
    risk 0.59cvss 9.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename…

  • CVE-2026-34989CriApr 6, 2026
    risk 0.59cvss 9.0epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name…

  • CVE-2026-34568CriApr 1, 2026
    risk 0.59cvss 9.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts. An…

  • CVE-2026-34567CriApr 1, 2026
    risk 0.59cvss 9.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts within…

  • CVE-2026-34566CriApr 1, 2026
    risk 0.59cvss 9.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Page Management functionality when…

  • CVE-2026-34565CriApr 1, 2026
    risk 0.59cvss 9.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Posts to navigation menus through…

  • CVE-2026-34564CriApr 1, 2026
    risk 0.59cvss 9.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Pages to navigation menus through…

  • CVE-2026-34563CriApr 1, 2026
    risk 0.59cvss 9.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when handling backup uploads and processing…

  • CVE-2026-34560CriApr 1, 2026
    risk 0.59cvss 9.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload…

  • CVE-2026-34559CriApr 1, 2026
    risk 0.59cvss 9.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog tags. An…

  • CVE-2026-34572HigApr 1, 2026
    risk 0.57cvss 8.8epss 0.01

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a…

  • CVE-2026-34570HigApr 1, 2026
    risk 0.57cvss 8.8epss 0.01

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic…

  • CVE-2026-39394HigApr 8, 2026
    risk 0.53cvss 8.1epss 0.01

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation and passes it directly into…

  • CVE-2026-39393HigApr 8, 2026
    risk 0.53cvss 8.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file…

  • CVE-2026-34558CriMar 30, 2026
    risk 0.52cvss 9.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality…

  • CVE-2026-34557CriMar 30, 2026
    risk 0.52cvss 9.1epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within group and role management…

  • CVE-2026-41587HigMay 7, 2026
    risk 0.49cvss epss 0.01

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version 0.31.7.0, a theme upload feature allows any authenticated backend user with theme-upload…

  • CVE-2026-35035HigApr 6, 2026
    risk 0.47cvss 7.2epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information.…

  • CVE-2026-45270higMay 18, 2026
    risk 0.45cvss epss 0.00

    ## Summary The `Pages` backend module registers the `html_purify` validation rule on language-keyed page content but persists the raw, un-purified POST value into the database. The public renderer for pages (`Home::index()` → `app/Views/templates/default/pages.php`) emits…

  • CVE-2026-39389MedApr 8, 2026
    risk 0.44cvss 6.7epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.

  • CVE-2026-41890MedMay 7, 2026
    risk 0.38cvss epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess() action accepts a POST parameter tables[] containing arbitrary table…

  • CVE-2026-39392MedApr 8, 2026
    risk 0.36cvss 5.5epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html_purify validation rule to content fields during create and update operations,…

  • CVE-2026-39390MedApr 8, 2026
    risk 0.36cvss 5.5epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an …

  • CVE-2026-39391MedApr 8, 2026
    risk 0.31cvss 4.8epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without…

  • CVE-2026-34562MedApr 1, 2026
    risk 0.31cvss 4.7epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Company…

  • CVE-2026-34561MedApr 1, 2026
    risk 0.31cvss 4.7epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Social Media…

  • CVE-2026-41891MedMay 7, 2026
    risk 0.27cvss epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been…

  • CVE-2026-27599MedMar 30, 2026
    risk 0.24cvss 4.7epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Mail Settings.…

  • CVE-2026-45139May 18, 2026
    risk 0.00cvss epss 0.00

    ## Summary The Fileeditor module enforces an extension allowlist (`['css','js','html','txt','json','sql','md']`) on content-write operations (`saveFile`, `createFile`), but two destructive endpoints — `deleteFileOrFolder` and `renameFile` — never validate the extension of…

  • CVE-2026-45138May 18, 2026
    risk 0.00cvss epss 0.00

    ## Summary The custom `html_purify` validation rule used to sanitize blog post bodies relies on by-reference mutation (`?string &$str`), but CodeIgniter 4's validator passes a local copy of the value, so the sanitized text is silently discarded. The Blog controller writes…

  • CVE-2026-25510Feb 3, 2026
    risk 0.00cvss epss 0.01

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the…

  • CVE-2026-25509Feb 3, 2026
    risk 0.00cvss epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can…