1. Home
  2. CVE Database
  3. CVE-2026-25510
CRITICAL · 9.9

CVE-2026-25510

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file...

Vulnerability Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0.

CVSS Score

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
Ci4-Cms-ErpCi4Ms< 0.28.5.0

Related Weaknesses (CWE)

CWE-94CWE-434

References

FAQ

What is CVE-2026-25510?

CVE-2026-25510 is a vulnerability with a CVSS score of 9.9 (CRITICAL). CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file...

How severe is CVE-2026-25510?

CVE-2026-25510 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-25510?

Check the references section above for vendor advisories and patch information. Affected products include: Ci4-Cms-Erp Ci4Ms.