Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-39393— Post-Installation Re-entry via Cache-Dependent Install Guard Bypass in ci4ms

CVSS 8.1 · High EPSS 0.04% · P12
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-39393

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Post-Installation Re-entry via Cache-Dependent Install Guard Bypass in ci4ms
Source: NVD (National Vulnerability Database)
Vulnerability Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file existence to block post-installation access to the setup wizard. When the database is temporarily unreachable during a cache miss (TTL expiry or admin-triggered cache clear), the guard fails open, allowing an unauthenticated attacker to overwrite the .env file with attacker-controlled database credentials, achieving full application takeover. This vulnerability is fixed in 0.31.4.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
关键功能的认证机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
CI4MS 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
CI4MS是Ci4MS开源的一个博客页面管理工具。 CI4MS 0.31.4.0之前版本存在访问控制错误漏洞,该漏洞源于安装路由防护仅依赖易失性缓存检查,可能导致数据库暂时不可访问时防护失效,允许未经验证的攻击者覆盖.env文件并实现完全应用程序接管。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
ci4-cms-erpci4ms < 0.31.4.0 -

II. Public POCs for CVE-2026-39393

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-39393

登录查看更多情报信息。

Same Patch Batch · ci4-cms-erp · 2026-04-08 · 6 CVEs total

CVE-2026-393948.1 HIGHCI4MS has an .env CRLF Injection via Unvalidated `host` Parameter in Install Controller
CVE-2026-393896.7 MEDIUMCI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Wri
CVE-2026-393905.5 MEDIUMCI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting
CVE-2026-393925.5 MEDIUMCI4MS has Stored XSS in Pages Content Due to Missing html_purify Sanitization
CVE-2026-393914.8 MEDIUMCI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List

IV. Related Vulnerabilities

Same product: ci4ms
Same vendor: ci4-cms-erp
Same weakness: CWE-306

V. Comments for CVE-2026-39393

No comments yet

Leave a comment