| CVE-2026-41203 |
critical |
— |
9.5 |
|
|
|
28d ago |
CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE |
| CVE-2026-41202 |
critical |
— |
9.5 |
|
|
|
28d ago |
CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE |
| CVE-2026-35035 |
critical |
— |
9.5 |
|
|
|
2mo ago |
CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS |
| CVE-2026-41201 |
critical |
9.1 |
9.1 |
|
|
|
28d ago |
CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS |
| CVE-2026-34989 |
critical |
9.0 |
9.0 |
|
|
|
2mo ago |
CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-45270 |
high |
— |
8.0 |
|
|
|
17d ago |
CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule |
| CVE-2026-41587 |
high |
— |
8.0 |
|
|
|
1mo ago |
CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution |
| CVE-2026-45139 |
medium |
— |
5.5 |
|
|
|
17d ago |
CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations |
| CVE-2026-45138 |
medium |
— |
5.5 |
|
|
|
17d ago |
CI4MS: Stored XSS in Blog Content via Broken `html_purify` Validation Rule |
| CVE-2026-41891 |
medium |
— |
5.5 |
|
|
|
1mo ago |
CI4MS has a Deactivated User Session Bypass (active=0) |
| CVE-2026-41890 |
medium |
— |
5.5 |
|
|
|
1mo ago |
CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess |
