External risk intelligence

CI4MS backup feature allows attackers to take control of your website.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-41202

An internal attacker with access to CI4MS backup tools could upload malicious files to take full control of the server. This allows unauthorized command execution and could lead to a complete system compromise.

3Halo Surface Signal

Path Traversal

External exposure likelihood

Halo Surface Signal score for CVE-2026-41202

The vulnerability requires authenticated access to administrative backup functions within a CMS. While the application is web-based, administrative interfaces are typically protected and not designed for public access. The requirement for elevated, specific permissions reduces the likelihood that this vector is exposed on the public internet compared to a public-facing API or service.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in CI4MS allows an authenticated user to upload specially crafted ZIP files that can overwrite arbitrary files on the server, potentially leading to remote code execution. Teams should pay close attention because this could compromise the entire system if not addressed.

  • Can overwrite critical files.
  • Enables running custom code.
  • Requires backend access.

Attack Path

How an attacker could exploit the issue

An authenticated backend user with backup create permissions can abuse this vulnerability to write files to arbitrary filesystem locations. This can be used to drop a malicious PHP file into the public web root, leading to remote code execution.

  • Authenticated, privileged user
  • Uploading a crafted ZIP archive
  • Target directory writable by the web server

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an authenticated user with specific backup permissions to achieve remote code execution via a Zip Slip flaw. Attackers would favor this if they have already gained initial access and compromised credentials for a backend user within the CMS.

  • Requires authenticated access.
  • Patched in version 0.31.5.0.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching CI4MS installations to version 0.31.5.0 or later to address the critical Zip Slip vulnerability that allows for arbitrary file writes and remote code execution. If immediate patching is not feasible, implement strict access controls for the backup functionality and monitor for unusual file creation or modifications in the web root.

  • Patch to version 0.31.5.0.
  • Restrict backup create permissions.
  • Monitor for new PHP files.

Frequently asked questions

What is CI4MS and what vulnerability does it contain?

CI4MS is a CodeIgniter 4-based Content Management System skeleton. It contains a vulnerability in its backup restoration feature where it fails to validate user-uploaded ZIP archive entry names, allowing for arbitrary file writes and potential remote code execution. This is a Zip Slip vulnerability.

How does the Zip Slip vulnerability in CI4MS work?

The vulnerability, classified under CWE-22, occurs because the Backup::restore function extracts user-uploaded ZIP archives without validating entry names. An authenticated backend user with backup create permission can exploit this by uploading a specially crafted ZIP archive to write files to any filesystem location, including dropping a malicious PHP file into the public web root.

What is the trigger path for the CI4MS vulnerability?

The vulnerability is triggered when an authenticated backend user with backup create permissions uploads a specially crafted ZIP archive to the CI4MS backup restore function. The crafted archive exploits the lack of entry name validation to write files to arbitrary locations on the server, bypassing intended scope limitations.

How relevant is the CI4MS vulnerability?

This vulnerability is classified as CRITICAL with a CVSS score of 9.4. While it requires authenticated access and specific administrative permissions, the potential for remote code execution makes it highly relevant for systems using CI4MS. Halo Surface Signal indicates a 'Possible' threat score due to the requirement for authenticated administrative access.

What are the practical steps to address the CI4MS vulnerability?

The primary fix is to update CI4MS to version 0.31.5.0 or later. If immediate patching isn't possible, restrict access to the backup create functionality and actively monitor the web root for any new or suspicious PHP file creations.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished