CodeIgniter 4 CMS skeleton vulnerability affecting CI4MS product
CVE-2026-41202

9.4CRITICAL

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 7 May 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-41202?

The CI4MS, a CMS skeleton built on CodeIgniter 4, has a vulnerability where it improperly handles user-uploaded ZIP archives. Below version 0.31.5.0, the Backup::restore feature allows authenticated users with backup creation permissions to exploit this weakness. This leads to a Zip Slip attack, enabling a malicious user to write files to arbitrary locations in the filesystem. Consequently, attackers can potentially drop a PHP file into the public web root, resulting in unauthorized remote code execution. The issue has been addressed in version 0.31.5.0.

Affected Version(s)

ci4ms < 0.31.5.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0

x_refsource_MISC

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41202 Data

JSON