Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

ci4ms — Vulnerabilities & Security Advisories 33

All 33 CVE vulnerabilities found in ci4ms, with AI-generated Chinese analysis, references, and POCs.

This page documents known security weaknesses associated with the ci4ms software product maintained by its respective vendor. It aggregates vulnerability data from various public sources and vendor advisories, covering a broad time range from initial discoveries to recently patched issues. This comprehensive collection allows for a holistic view of the product's security posture over time rather than focusing on isolated incidents. Visitors to this page can track the vendor’s historical advisory releases to understand the frequency and severity of past security disclosures. Users can also analyze specific weakness classes affecting ci4ms to identify patterns in code or configuration errors. Furthermore, individuals can look up the complete vulnerability history of the product to assess its evolution and remediation practices. This resource serves as a reference for security analysts, developers, and system administrators who need to evaluate the risk profile of ci4ms deployments. By consolidating disparate reports into a single view, the page facilitates better risk assessment and informed decision-making regarding software procurement, patching, and mitigation strategies. The information is presented to aid in the understanding of how common vulnerabilities impact this specific software environment, supporting proactive security management.

Vendor: ci4-cms-erp

CVE IDTitleCVSSSeverityPublished
CVE-2026-41891 CI4MS: Deactivated User Session Bypass (active=0) CWE-613 9.1AICriticalAI2026-05-07
CVE-2026-41890 CI4MS: Arbitrary Database Table Drop via Theme deleteProcess CWE-20 9.8AICriticalAI2026-05-07
CVE-2026-41203 ci4ms Theme::upload is vulnerable to Zip Slip leading to RCE CWE-22 8.8AIHighAI2026-05-07
CVE-2026-41202 ci4ms Backup::restore is vulnerable to Zip Slip leading to RCE CWE-22 8.8AIHighAI2026-05-07
CVE-2026-41201 CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS Version 2 CWE-79 9.1 Critical2026-05-07
CVE-2026-41587 CI4MS: Unrestricted PHP File Upload via Theme Installation Leads to Authenticated Remote Code Execution CWE-434 8.8AIHighAI2026-05-07
CVE-2026-39394 CI4MS has an .env CRLF Injection via Unvalidated `host` Parameter in Install Controller CWE-93 8.1 High2026-04-08
CVE-2026-39393 Post-Installation Re-entry via Cache-Dependent Install Guard Bypass in ci4ms CWE-306 8.1 High2026-04-08
CVE-2026-39392 CI4MS has Stored XSS in Pages Content Due to Missing html_purify Sanitization CWE-79 5.5 Medium2026-04-08
CVE-2026-39391 CI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List CWE-79 4.8 Medium2026-04-08
CVE-2026-39390 CI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting CWE-79 5.5 Medium2026-04-08
CVE-2026-39389 CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files CWE-285 6.7 Medium2026-04-08
CVE-2026-35035 CI4MS Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS CWE-79 7.2 High2026-04-06
CVE-2026-34989 CI4MS affected by Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 5.4AIMediumAI2026-04-06
CVE-2026-34572 CI4MS: Account Deactivation Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) CWE-284 8.8 High2026-04-01
CVE-2026-34571 CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise CWE-79 10.0 Critical2026-04-01
CVE-2026-34570 CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) CWE-284 8.8 High2026-04-01
CVE-2026-34569 CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 10.0 Critical2026-04-01
CVE-2026-34568 CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34567 CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34566 CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34565 CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34564 CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34563 CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34562 CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 4.7 Medium2026-04-01
CVE-2026-34561 CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 4.7 Medium2026-04-01
CVE-2026-34560 CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34559 CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34558 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-03-30
CVE-2026-34557 CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-03-30

All 33 known CVE vulnerabilities affecting ci4ms with full Chinese analysis, references, and POCs where available.