Zip Slip Vulnerability in CI4MS CMS by CodeIgniter
CVE-2026-41203

9.4CRITICAL

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 7 May 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-41203?

The CI4MS CMS, built on CodeIgniter 4, has a vulnerability in its Theme::upload feature that allows an authenticated user with theme creation permissions to upload ZIP files. This process does not validate the entry names of the uploaded files, potentially enabling attackers to exploit the system by writing files to arbitrary locations in the filesystem. This flaw can lead to remote code execution by dropping malicious PHP scripts in the public web directory. The issue has been addressed in version 0.31.5.0, mitigating the associated risks.

Affected Version(s)

ci4ms < 0.31.5.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0

x_refsource_MISC

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41203 Data

JSON