CodeIgniter 4-based CMS Vulnerability in CI4MS by CI4-CMS
CVE-2026-39393

8.1HIGH

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 8 April 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-39393?

The CI4MS application, a modular CMS built on CodeIgniter 4, suffers from a vulnerability that allows unauthenticated attackers to bypass post-installation security measures. This occurs due to faulty reliance on a volatile cache to control access to the setup wizard. If the database becomes temporarily inaccessible during a cache miss, the security guard fails, granting attackers the ability to overwrite critical configuration files with malicious database credentials. This flaw puts the entire application at risk, enabling full control to malicious actors. The vulnerability has been addressed in version 0.31.4.0.

Affected Version(s)

ci4ms < 0.31.4.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39393 Data

JSON