Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

ci4-cms-erp — Vulnerabilities & Security Advisories 33

Browse all 33 CVE security advisories affecting ci4-cms-erp. AI-powered Chinese analysis, POCs, and references for each vulnerability.

ci4-cms-erp is a content management and enterprise resource planning system built on the CodeIgniter 4 framework, primarily designed for small to medium businesses seeking integrated administrative and web publishing tools. Its architecture has historically exposed it to a significant number of security flaws, with twenty-seven Common Vulnerabilities and Exposures (CVEs) currently documented. These vulnerabilities predominantly stem from inadequate input validation and improper access controls, leading to frequent instances of Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL Injection. Additionally, privilege escalation issues have allowed unauthorized users to gain administrative access, compromising system integrity. The high volume of recorded CVEs indicates persistent weaknesses in the software’s security posture, suggesting that developers have struggled to consistently patch critical flaws. Organizations relying on this platform face substantial risks due to these known exploitable defects, necessitating rigorous monitoring and immediate updates to mitigate potential breaches.

Top products by ci4-cms-erp: ci4ms
CVE IDTitleCVSSSeverityPublished
CVE-2026-41891 CI4MS: Deactivated User Session Bypass (active=0) — ci4msCWE-613 9.1AICriticalAI2026-05-07
CVE-2026-41890 CI4MS: Arbitrary Database Table Drop via Theme deleteProcess — ci4msCWE-20 9.8AICriticalAI2026-05-07
CVE-2026-41203 ci4ms Theme::upload is vulnerable to Zip Slip leading to RCE — ci4msCWE-22 8.8AIHighAI2026-05-07
CVE-2026-41202 ci4ms Backup::restore is vulnerable to Zip Slip leading to RCE — ci4msCWE-22 8.8AIHighAI2026-05-07
CVE-2026-41201 CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS Version 2 — ci4msCWE-79 9.1 Critical2026-05-07
CVE-2026-41587 CI4MS: Unrestricted PHP File Upload via Theme Installation Leads to Authenticated Remote Code Execution — ci4msCWE-434 8.8AIHighAI2026-05-07
CVE-2026-39394 CI4MS has an .env CRLF Injection via Unvalidated `host` Parameter in Install Controller — ci4msCWE-93 8.1 High2026-04-08
CVE-2026-39393 Post-Installation Re-entry via Cache-Dependent Install Guard Bypass in ci4ms — ci4msCWE-306 8.1 High2026-04-08
CVE-2026-39392 CI4MS has Stored XSS in Pages Content Due to Missing html_purify Sanitization — ci4msCWE-79 5.5 Medium2026-04-08
CVE-2026-39391 CI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List — ci4msCWE-79 4.8 Medium2026-04-08
CVE-2026-39390 CI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting — ci4msCWE-79 5.5 Medium2026-04-08
CVE-2026-39389 CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files — ci4msCWE-285 6.7 Medium2026-04-08
CVE-2026-35035 CI4MS Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS — ci4msCWE-79 7.2 High2026-04-06
CVE-2026-34989 CI4MS affected by Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS — ci4msCWE-79 5.4AIMediumAI2026-04-06
CVE-2026-34572 CI4MS: Account Deactivation Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) — ci4msCWE-284 8.8 High2026-04-01
CVE-2026-34571 CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise — ci4msCWE-79 10.0 Critical2026-04-01
CVE-2026-34570 CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) — ci4msCWE-284 8.8 High2026-04-01
CVE-2026-34569 CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS — ci4msCWE-79 10.0 Critical2026-04-01
CVE-2026-34568 CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS — ci4msCWE-79 9.1 Critical2026-04-01
CVE-2026-34567 CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS — ci4msCWE-79 9.1 Critical2026-04-01
CVE-2026-34566 CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS — ci4msCWE-79 9.1 Critical2026-04-01
CVE-2026-34565 CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS — ci4msCWE-79 9.1 Critical2026-04-01
CVE-2026-34564 CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS — ci4msCWE-79 9.1 Critical2026-04-01
CVE-2026-34563 CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS — ci4msCWE-79 9.1 Critical2026-04-01
CVE-2026-34562 CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS — ci4msCWE-79 4.7 Medium2026-04-01
CVE-2026-34561 CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS — ci4msCWE-79 4.7 Medium2026-04-01
CVE-2026-34560 CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS — ci4msCWE-79 9.1 Critical2026-04-01
CVE-2026-34559 CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS — ci4msCWE-79 9.1 Critical2026-04-01
CVE-2026-34558 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS — ci4msCWE-79 9.1 Critical2026-03-30
CVE-2026-34557 CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS — ci4msCWE-79 9.1 Critical2026-03-30

This page lists every published CVE security advisory associated with ci4-cms-erp. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.