Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

ci4ms — Vulnerabilities & Security Advisories 33

All 33 CVE vulnerabilities found in ci4ms, with AI-generated Chinese analysis, references, and POCs.

Vendor: ci4-cms-erp

CVE IDTitleCVSSSeverityPublished
CVE-2026-41891 CI4MS: Deactivated User Session Bypass (active=0) CWE-613 9.1AICriticalAI2026-05-07
CVE-2026-41890 CI4MS: Arbitrary Database Table Drop via Theme deleteProcess CWE-20 9.8AICriticalAI2026-05-07
CVE-2026-41203 ci4ms Theme::upload is vulnerable to Zip Slip leading to RCE CWE-22 8.8AIHighAI2026-05-07
CVE-2026-41202 ci4ms Backup::restore is vulnerable to Zip Slip leading to RCE CWE-22 8.8AIHighAI2026-05-07
CVE-2026-41201 CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS Version 2 CWE-79 9.1 Critical2026-05-07
CVE-2026-41587 CI4MS: Unrestricted PHP File Upload via Theme Installation Leads to Authenticated Remote Code Execution CWE-434 8.8AIHighAI2026-05-07
CVE-2026-39394 CI4MS has an .env CRLF Injection via Unvalidated `host` Parameter in Install Controller CWE-93 8.1 High2026-04-08
CVE-2026-39393 Post-Installation Re-entry via Cache-Dependent Install Guard Bypass in ci4ms CWE-306 8.1 High2026-04-08
CVE-2026-39392 CI4MS has Stored XSS in Pages Content Due to Missing html_purify Sanitization CWE-79 5.5 Medium2026-04-08
CVE-2026-39391 CI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List CWE-79 4.8 Medium2026-04-08
CVE-2026-39390 CI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting CWE-79 5.5 Medium2026-04-08
CVE-2026-39389 CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files CWE-285 6.7 Medium2026-04-08
CVE-2026-35035 CI4MS Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS CWE-79 7.2 High2026-04-06
CVE-2026-34989 CI4MS affected by Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 5.4AIMediumAI2026-04-06
CVE-2026-34572 CI4MS: Account Deactivation Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) CWE-284 8.8 High2026-04-01
CVE-2026-34571 CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise CWE-79 10.0 Critical2026-04-01
CVE-2026-34570 CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) CWE-284 8.8 High2026-04-01
CVE-2026-34569 CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 10.0 Critical2026-04-01
CVE-2026-34568 CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34567 CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34566 CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34565 CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34564 CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34563 CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34562 CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 4.7 Medium2026-04-01
CVE-2026-34561 CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 4.7 Medium2026-04-01
CVE-2026-34560 CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34559 CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34558 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-03-30
CVE-2026-34557 CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-03-30

All 33 known CVE vulnerabilities affecting ci4ms with full Chinese analysis, references, and POCs where available.