CodeIgniter 4-based CMS Vulnerability in CI4MS – Arbitrary Table Deletion Risk
CVE-2026-41890

6.9MEDIUM

Key Information:

Vendor: Ci4-cms-erp
Status: Ci4ms
Vendor: CVE Published:; 7 May 2026

🔔 Create Ci4-cms-erp Vulnerability Alert

What is CVE-2026-41890?

CI4MS, a CMS built on CodeIgniter 4, contains a vulnerability in the deleteProcess() functionality. In versions from 0.31.1.0 to before 0.31.8.0, the application improperly handles POST parameters, allowing an authenticated administrator to submit arbitrary table names for deletion. The lack of validation against the theme's migration files means that any table can be dropped from the database, posing a serious risk to data integrity. This vulnerability has been addressed in version 0.31.8.0, where appropriate checks have been implemented to ensure table names are verified before any deletion takes place.

Affected Version(s)

ci4ms >= 0.31.1.0, < 0.31.8.0

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/...

x_refsource_CONFIRM

https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41890 Data

JSON