External risk intelligence

CI4MS CMS allows attackers with admin access to take control of your systems

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-41203

An internal attacker with theme management permissions can exploit a file upload flaw in CI4MS to place malicious code on the server. This could allow them to gain full control of the application and access sensitive system areas.

2Halo Surface Signal

Path Traversal

External exposure likelihood

Halo Surface Signal score for CVE-2026-41203

This vulnerability exists in a backend administrative function requiring specific user privileges and authentication. Such administrative modules are typically restricted to internal access or protected by authentication controls, making direct public-internet exposure of the vulnerable theme upload surface uncommon in typical deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in CI4MS allows an authenticated user to upload ZIP files that can overwrite arbitrary files on the server. This could let an attacker gain full control of the system by uploading a malicious file.

  • Requires existing access.
  • Can lead to system takeover.
  • Affects backend theme management.

Attack Path

How an attacker could exploit the issue

An attacker with authenticated backend access and the ability to create themes could exploit this flaw by uploading a crafted ZIP archive. This archive's contents could overwrite critical system files or drop a malicious PHP file into the web root, leading to remote code execution.

  • Authenticated backend user needed.
  • Uploading ZIP archives.
  • Target: Theme upload function.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an authenticated backend user to write files anywhere on the filesystem, potentially leading to remote code execution. While the vulnerability is severe, it requires prior authentication and specific permissions, limiting its direct exploitation by external attackers in most scenarios. Attackers generally prefer vulnerabilities that are remotely exploitable without authentication for wider reach.

  • Requires authenticated user access.
  • Patch released, but adoption varies.
  • No public exploit code observed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching CI4MS to version 0.31.5.0 to address the critical Zip Slip vulnerability, which allows remote code execution by authenticated users. If immediate patching is not feasible, implement strict access controls and monitoring for the theme upload functionality.

  • Apply CI4MS version 0.31.5.0.
  • Restrict theme upload permissions.
  • Monitor for suspicious file uploads.

Frequently asked questions

What is CI4MS and what is it used for?

CI4MS is a Content Management System (CMS) built using CodeIgniter 4. It provides a modular architecture for creating websites and applications, offering features like role-based access control (RBAC) and theme support. It's used to deliver production-ready web platforms.

What is the weakness in CVE-2026-41203, a Zip Slip vulnerability?

CVE-2026-41203 is a Zip Slip vulnerability. This means that the CI4MS software, prior to version 0.31.5.0, did not properly check the names of files within uploaded ZIP archives. An attacker could exploit this by uploading a specially crafted ZIP file, causing it to write files to unintended locations on the server.

How can an attacker exploit the CVE-2026-41203 vulnerability?

An attacker needs authenticated access to the CI4MS backend and permission to create themes. They can exploit this by uploading a ZIP archive containing files with manipulated entry names. This allows them to overwrite existing files or place new files, such as a PHP web shell, in arbitrary locations, potentially leading to remote code execution.

Who should care about this vulnerability based on Halo Surface Signal?

This vulnerability is classified as external due to its network attack vector, meaning it can be reached over the internet. However, the Halo Surface Signal indicates this specific vulnerability is unlikely to be a high concern for direct external exploitation because it requires authenticated backend administrative access and specific user privileges, which are typically protected and not directly exposed.

What is the first step to respond to this vulnerability?

The most critical first step is to update CI4MS to version 0.31.5.0 or later, as this version contains the patch for the Zip Slip vulnerability. If immediate patching isn't possible, restrict the permissions for theme uploads and closely monitor any activity related to that function.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished