| CVE-2026-41203 |
critical |
— |
9.5 |
|
|
|
28d ago |
CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE |
| CVE-2026-41202 |
critical |
— |
9.5 |
|
|
|
28d ago |
CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE |
| CVE-2026-35035 |
critical |
— |
9.5 |
|
|
|
2mo ago |
CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS |
| CVE-2026-41201 |
critical |
9.1 |
9.1 |
|
|
|
28d ago |
CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS |
| CVE-2026-34989 |
critical |
9.0 |
9.0 |
|
|
|
2mo ago |
CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-45270 |
high |
— |
8.0 |
|
|
|
16d ago |
CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule |
| CVE-2026-41587 |
high |
— |
8.0 |
|
|
|
1mo ago |
CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution |
| CVE-2026-45139 |
medium |
— |
5.5 |
|
|
|
16d ago |
CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations |
| CVE-2026-45138 |
medium |
— |
5.5 |
|
|
|
16d ago |
CI4MS: Stored XSS in Blog Content via Broken `html_purify` Validation Rule |
| CVE-2026-41891 |
medium |
— |
5.5 |
|
|
|
1mo ago |
CI4MS has a Deactivated User Session Bypass (active=0) |
| CVE-2026-41890 |
medium |
— |
5.5 |
|
|
|
1mo ago |
CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess |
| CVE-2026-39394 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller |
| CVE-2026-39393 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass |
| CVE-2026-39392 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization |
| CVE-2026-39391 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List |
| CVE-2026-39390 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting |
| CVE-2026-39389 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files |
| CVE-2026-34572 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) |
| CVE-2026-34571 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise |
| CVE-2026-34570 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) |
| CVE-2026-34569 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-34568 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-34567 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-34566 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-34565 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-34564 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-34563 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS |
| CVE-2026-34562 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-34561 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-34560 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-34559 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-34557 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-34558 |
unknown |
— |
— |
|
|
|
2mo ago |
CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-27599 |
unknown |
— |
— |
|
|
|
2mo ago |
ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
| CVE-2026-25510 |
unknown |
— |
— |
|
|
|
4mo ago |
CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor |
| CVE-2026-25509 |
unknown |
— |
— |
|
|
|
4mo ago |
CI4MS Vulnerable to User Email Enumeration via Password Reset Flow |
