CVE-2026-41202
CriticalSummary
In versions prior to 0.31.5.0, the Backup::restore function in CI4MS does not validate file names in uploaded ZIP archives, allowing an authenticated user to write files to arbitrary filesystem locations, potentially leading to remote code execution.
Risk Assessment
The organization may be exposed to remote code execution by unauthorized users, which could result in serious security breaches and data loss.
Recommendation
It is recommended to upgrade to version 0.31.5.0 or later to mitigate this vulnerability and implement additional validation mechanisms for uploaded files.
Original NVD description (English source)
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0.

