Arbitrary Code Injection in CodeIgniter 4-based CMS by CI4MS
CVE-2026-39394

8.1HIGH

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 8 April 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-39394?

A vulnerability exists in CI4MS, a CodeIgniter 4-based CMS, where the Install::index() controller improperly handles the host POST parameter by passing it directly to the updateEnvSettings() method. This involves writing to the .env file without proper validation, allowing an attacker to inject arbitrary configuration directives. As newline characters are not stripped from the input, the exploit leads to potentially harmful directives being executed. Notably, the install routes lack CSRF protection, and the security can be bypassed if the cache settings are empty, thus increasing the risk of unauthorized access and configuration tampering. This issue has been addressed in version 0.31.4.0.

Affected Version(s)

ci4ms < 0.31.4.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39394 Data

JSON