Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/ci4-cms-erp/ci4ms@0.26.1.0
Typecomposer
Namespaceci4-cms-erp
Nameci4ms
Version0.26.1.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.31.0
Latest_non_vulnerable_version31.0.0
Affected_by_vulnerabilities
0
url VCID-11ah-ukzq-k7ch
vulnerability_id VCID-11ah-ukzq-k7ch
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41202
reference_id
reference_type
scores
0
value 0.00534
scoring_system epss
scoring_elements 0.67936
published_at 2026-06-12T12:55:00Z
1
value 0.00534
scoring_system epss
scoring_elements 0.67944
published_at 2026-06-14T12:55:00Z
2
value 0.00534
scoring_system epss
scoring_elements 0.67948
published_at 2026-06-13T12:55:00Z
3
value 0.00534
scoring_system epss
scoring_elements 0.67847
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41202
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41202
reference_id
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41202
3
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0
reference_id 0.31.5.0
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T12:39:58Z/
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0
4
reference_url https://github.com/advisories/GHSA-xp9f-pvvc-57p4
reference_id GHSA-xp9f-pvvc-57p4
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xp9f-pvvc-57p4
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xp9f-pvvc-57p4
reference_id GHSA-xp9f-pvvc-57p4
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T12:39:58Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xp9f-pvvc-57p4
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.5
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-28yh-hjbw-w7ce
1
vulnerability VCID-48sm-mr7f-ducd
2
vulnerability VCID-dsph-q7jr-qudx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0
2
url pkg:composer/ci4-cms-erp/ci4ms@0.31.5%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.5%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5%252B0
aliases CVE-2026-41202, GHSA-xp9f-pvvc-57p4
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-11ah-ukzq-k7ch
1
url VCID-11fm-qbca-63av
vulnerability_id VCID-11fm-qbca-63av
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 31.0.0.0, the application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their profile name, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This vulnerability is fixed in 31.0.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34989
reference_id
reference_type
scores
0
value 0.0005
scoring_system epss
scoring_elements 0.15899
published_at 2026-06-11T12:55:00Z
1
value 0.0005
scoring_system epss
scoring_elements 0.1604
published_at 2026-06-12T12:55:00Z
2
value 0.00058
scoring_system epss
scoring_elements 0.18575
published_at 2026-06-13T12:55:00Z
3
value 0.00058
scoring_system epss
scoring_elements 0.18553
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34989
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34989
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34989
3
reference_url https://github.com/advisories/GHSA-vr2g-rhm5-q4jr
reference_id GHSA-vr2g-rhm5-q4jr
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vr2g-rhm5-q4jr
4
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr
reference_id GHSA-vr2g-rhm5-q4jr
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T15:57:55Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vr2g-rhm5-q4jr
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@31.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@31.0.0
1
url pkg:composer/ci4-cms-erp/ci4ms@31.0.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@31.0.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@31.0.0%252B0
aliases CVE-2026-34989, GHSA-vr2g-rhm5-q4jr
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-11fm-qbca-63av
2
url VCID-1s93-2pus-xkax
vulnerability_id VCID-1s93-2pus-xkax
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-39389
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07443
published_at 2026-06-12T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.07427
published_at 2026-06-14T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07409
published_at 2026-06-11T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07436
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-39389
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-39389
reference_id
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-39389
4
reference_url https://github.com/advisories/GHSA-9rxp-f27p-wv3h
reference_id GHSA-9rxp-f27p-wv3h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9rxp-f27p-wv3h
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-9rxp-f27p-wv3h
reference_id GHSA-9rxp-f27p-wv3h
reference_type
scores
0
value 6.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T20:28:40Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-9rxp-f27p-wv3h
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-28yh-hjbw-w7ce
2
vulnerability VCID-48sm-mr7f-ducd
3
vulnerability VCID-dq3s-2u24-skhq
4
vulnerability VCID-dsph-q7jr-qudx
5
vulnerability VCID-tfxq-7v9w-p3ff
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
aliases CVE-2026-39389, GHSA-9rxp-f27p-wv3h
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1s93-2pus-xkax
3
url VCID-28yh-hjbw-w7ce
vulnerability_id VCID-28yh-hjbw-w7ce
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been patched in version 0.31.8.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41891
reference_id
reference_type
scores
0
value 0.00016
scoring_system epss
scoring_elements 0.04101
published_at 2026-06-12T12:55:00Z
1
value 0.00016
scoring_system epss
scoring_elements 0.041
published_at 2026-06-14T12:55:00Z
2
value 0.00016
scoring_system epss
scoring_elements 0.0409
published_at 2026-06-13T12:55:00Z
3
value 0.00016
scoring_system epss
scoring_elements 0.04083
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41891
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://github.com/ci4-cms-erp/ci4ms/commit/2f38284281ce6b435ea42003951f14109ac2cea7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms/commit/2f38284281ce6b435ea42003951f14109ac2cea7
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41891
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41891
4
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0
reference_id 0.31.8.0
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:47:29Z/
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0
5
reference_url https://github.com/advisories/GHSA-5hfv-c864-qcq9
reference_id GHSA-5hfv-c864-qcq9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5hfv-c864-qcq9
6
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5hfv-c864-qcq9
reference_id GHSA-5hfv-c864-qcq9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:47:29Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5hfv-c864-qcq9
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.8
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.8
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.8%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.8%2B0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7qqh-neay-nbak
1
vulnerability VCID-emhm-thb4-rqbz
2
vulnerability VCID-uw4z-hv4s-efe4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.8%252B0
2
url pkg:composer/ci4-cms-erp/ci4ms@0.31.8.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.8.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.8.0
aliases CVE-2026-41891, GHSA-5hfv-c864-qcq9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-28yh-hjbw-w7ce
4
url VCID-2h4w-tk7x-zfa3
vulnerability_id VCID-2h4w-tk7x-zfa3
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged data, it is rendered without proper output encoding. This issue becomes a Blind XSS scenario because the attacker does not see immediate execution. Instead, the payload is stored within application logs and only executes later when an administrator views the logs page. This issue has been patched in version 0.31.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34560
reference_id
reference_type
scores
0
value 0.00026
scoring_system epss
scoring_elements 0.07764
published_at 2026-06-11T12:55:00Z
1
value 0.00026
scoring_system epss
scoring_elements 0.07789
published_at 2026-06-14T12:55:00Z
2
value 0.00026
scoring_system epss
scoring_elements 0.07801
published_at 2026-06-12T12:55:00Z
3
value 0.00026
scoring_system epss
scoring_elements 0.07795
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34560
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34560
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34560
3
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
reference_id 0.31.0.0
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T13:58:43Z/
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
4
reference_url https://github.com/advisories/GHSA-r4v5-rwr2-q7r4
reference_id GHSA-r4v5-rwr2-q7r4
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r4v5-rwr2-q7r4
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4
reference_id GHSA-r4v5-rwr2-q7r4
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T13:58:43Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r4v5-rwr2-q7r4
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34560, GHSA-r4v5-rwr2-q7r4
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2h4w-tk7x-zfa3
5
url VCID-2t9v-rkcs-tfej
vulnerability_id VCID-2t9v-rkcs-tfej
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an <iframe> allowlist and regex-based removal of on\w+ event handlers. However, the srcdoc attribute is not an event handler and passes all filters. An attacker with admin settings access can inject an <iframe srcdoc="..."> payload with HTML-entity-encoded JavaScript that executes in the context of the parent page when rendered to unauthenticated frontend visitors. This vulnerability is fixed in 0.31.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-39390
reference_id
reference_type
scores
0
value 0.00011
scoring_system epss
scoring_elements 0.01341
published_at 2026-06-13T12:55:00Z
1
value 0.00011
scoring_system epss
scoring_elements 0.01344
published_at 2026-06-14T12:55:00Z
2
value 0.00011
scoring_system epss
scoring_elements 0.01334
published_at 2026-06-11T12:55:00Z
3
value 0.00011
scoring_system epss
scoring_elements 0.01331
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-39390
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-39390
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-39390
4
reference_url https://github.com/advisories/GHSA-x3hr-cp7x-44r2
reference_id GHSA-x3hr-cp7x-44r2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x3hr-cp7x-44r2
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2
reference_id GHSA-x3hr-cp7x-44r2
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:09:31Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x3hr-cp7x-44r2
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-28yh-hjbw-w7ce
2
vulnerability VCID-48sm-mr7f-ducd
3
vulnerability VCID-dq3s-2u24-skhq
4
vulnerability VCID-dsph-q7jr-qudx
5
vulnerability VCID-tfxq-7v9w-p3ff
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
aliases CVE-2026-39390, GHSA-x3hr-cp7x-44r2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2t9v-rkcs-tfej
6
url VCID-39jy-pv24-z7bu
vulnerability_id VCID-39jy-pv24-z7bu
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, a Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the backend user management functionality. The application fails to properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript code. This results in automatic execution whenever backend users access the affected page, enabling session hijacking, privilege escalation, and full administrative account compromise. This issue has been patched in version 0.31.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34571
reference_id
reference_type
scores
0
value 0.00071
scoring_system epss
scoring_elements 0.22031
published_at 2026-06-12T12:55:00Z
1
value 0.00071
scoring_system epss
scoring_elements 0.22018
published_at 2026-06-14T12:55:00Z
2
value 0.00071
scoring_system epss
scoring_elements 0.22042
published_at 2026-06-13T12:55:00Z
3
value 0.00071
scoring_system epss
scoring_elements 0.21843
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34571
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34571
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34571
3
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
reference_id 0.31.0.0
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T15:11:23Z/
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
4
reference_url https://github.com/advisories/GHSA-fc4p-p49v-r948
reference_id GHSA-fc4p-p49v-r948
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fc4p-p49v-r948
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fc4p-p49v-r948
reference_id GHSA-fc4p-p49v-r948
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T15:11:23Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fc4p-p49v-r948
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34571, GHSA-fc4p-p49v-r948
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-39jy-pv24-z7bu
7
url VCID-3fm1-2zb6-dqd9
vulnerability_id VCID-3fm1-2zb6-dqd9
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34561
reference_id
reference_type
scores
0
value 0.0008
scoring_system epss
scoring_elements 0.23701
published_at 2026-06-11T12:55:00Z
1
value 0.0008
scoring_system epss
scoring_elements 0.23897
published_at 2026-06-12T12:55:00Z
2
value 0.0008
scoring_system epss
scoring_elements 0.23906
published_at 2026-06-13T12:55:00Z
3
value 0.0008
scoring_system epss
scoring_elements 0.23883
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34561
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gcfj-cf7j-vwgj
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gcfj-cf7j-vwgj
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34561
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34561
4
reference_url https://github.com/advisories/GHSA-gcfj-cf7j-vwgj
reference_id GHSA-gcfj-cf7j-vwgj
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gcfj-cf7j-vwgj
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
2
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34561, GHSA-gcfj-cf7j-vwgj
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3fm1-2zb6-dqd9
8
url VCID-48sm-mr7f-ducd
vulnerability_id VCID-48sm-mr7f-ducd
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version 0.31.7.0, a theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files inside the ZIP are installed into the web-accessible public/ directory with no extension or content filtering, making them directly executable via HTTP. This issue has been patched in version 0.31.7.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41587
reference_id
reference_type
scores
0
value 0.00122
scoring_system epss
scoring_elements 0.31071
published_at 2026-06-13T12:55:00Z
1
value 0.00122
scoring_system epss
scoring_elements 0.31056
published_at 2026-06-14T12:55:00Z
2
value 0.00122
scoring_system epss
scoring_elements 0.30859
published_at 2026-06-11T12:55:00Z
3
value 0.00122
scoring_system epss
scoring_elements 0.31055
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41587
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41587
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41587
3
reference_url https://github.com/ci4-cms-erp/ci4ms/commit/b969465e71eacd9eb57014ad1fce1fc34fa7bca0
reference_id b969465e71eacd9eb57014ad1fce1fc34fa7bca0
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-07T13:43:14Z/
url https://github.com/ci4-cms-erp/ci4ms/commit/b969465e71eacd9eb57014ad1fce1fc34fa7bca0
4
reference_url https://github.com/advisories/GHSA-fw49-9xq4-gmx6
reference_id GHSA-fw49-9xq4-gmx6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fw49-9xq4-gmx6
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fw49-9xq4-gmx6
reference_id GHSA-fw49-9xq4-gmx6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-07T13:43:14Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fw49-9xq4-gmx6
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.7
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.7
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.7%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.7%2B0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-28yh-hjbw-w7ce
1
vulnerability VCID-dsph-q7jr-qudx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.7%252B0
2
url pkg:composer/ci4-cms-erp/ci4ms@0.31.7.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-28yh-hjbw-w7ce
1
vulnerability VCID-dsph-q7jr-qudx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.7.0
aliases CVE-2026-41587, GHSA-fw49-9xq4-gmx6
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-48sm-mr7f-ducd
9
url VCID-5nz8-yd66-eydx
vulnerability_id VCID-5nz8-yd66-eydx
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check (cache('settings')) combined with .env file existence to block post-installation access to the setup wizard. When the database is temporarily unreachable during a cache miss (TTL expiry or admin-triggered cache clear), the guard fails open, allowing an unauthenticated attacker to overwrite the .env file with attacker-controlled database credentials, achieving full application takeover. This vulnerability is fixed in 0.31.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-39393
reference_id
reference_type
scores
0
value 0.00053
scoring_system epss
scoring_elements 0.17105
published_at 2026-06-14T12:55:00Z
1
value 0.00053
scoring_system epss
scoring_elements 0.16963
published_at 2026-06-11T12:55:00Z
2
value 0.00053
scoring_system epss
scoring_elements 0.17132
published_at 2026-06-13T12:55:00Z
3
value 0.00053
scoring_system epss
scoring_elements 0.17119
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-39393
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-39393
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-39393
4
reference_url https://github.com/advisories/GHSA-8rh5-4mvx-xj7j
reference_id GHSA-8rh5-4mvx-xj7j
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8rh5-4mvx-xj7j
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-8rh5-4mvx-xj7j
reference_id GHSA-8rh5-4mvx-xj7j
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T20:29:33Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-8rh5-4mvx-xj7j
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-28yh-hjbw-w7ce
2
vulnerability VCID-48sm-mr7f-ducd
3
vulnerability VCID-dq3s-2u24-skhq
4
vulnerability VCID-dsph-q7jr-qudx
5
vulnerability VCID-tfxq-7v9w-p3ff
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
aliases CVE-2026-39393, GHSA-8rh5-4mvx-xj7j
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5nz8-yd66-eydx
10
url VCID-6u34-vs68-c3eq
vulnerability_id VCID-6u34-vs68-c3eq
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Page Management functionality when creating or editing pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side. These stored values are later rendered without proper output encoding across administrative page lists and public-facing page views, leading to stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34566
reference_id
reference_type
scores
0
value 0.00058
scoring_system epss
scoring_elements 0.18557
published_at 2026-06-12T12:55:00Z
1
value 0.00058
scoring_system epss
scoring_elements 0.18553
published_at 2026-06-14T12:55:00Z
2
value 0.00058
scoring_system epss
scoring_elements 0.18575
published_at 2026-06-13T12:55:00Z
3
value 0.00058
scoring_system epss
scoring_elements 0.18393
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34566
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34566
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34566
3
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
reference_id 0.31.0.0
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-04T03:15:25Z/
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
4
reference_url https://github.com/advisories/GHSA-458r-h248-29c5
reference_id GHSA-458r-h248-29c5
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-458r-h248-29c5
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-458r-h248-29c5
reference_id GHSA-458r-h248-29c5
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-04T03:15:25Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-458r-h248-29c5
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34566, GHSA-458r-h248-29c5
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6u34-vs68-c3eq
11
url VCID-6wyz-uw9f-uufq
vulnerability_id VCID-6wyz-uw9f-uufq
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application's response during the password reset process. This issue has been patched in version 0.28.5.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25509
reference_id
reference_type
scores
0
value 0.00027
scoring_system epss
scoring_elements 0.08091
published_at 2026-06-14T12:55:00Z
1
value 0.00027
scoring_system epss
scoring_elements 0.08096
published_at 2026-06-12T12:55:00Z
2
value 0.00027
scoring_system epss
scoring_elements 0.08062
published_at 2026-06-11T12:55:00Z
3
value 0.00027
scoring_system epss
scoring_elements 0.08092
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25509
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653
reference_id 86be2930d1c54eb7575102563302b2f3bafcb653
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:30:42Z/
url https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25509
reference_id CVE-2026-25509
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25509
4
reference_url https://github.com/advisories/GHSA-654x-9q7r-g966
reference_id GHSA-654x-9q7r-g966
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-654x-9q7r-g966
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-654x-9q7r-g966
reference_id GHSA-654x-9q7r-g966
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T16:30:42Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-654x-9q7r-g966
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.28.5%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.28.5%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.28.5%252B0
aliases CVE-2026-25509, GHSA-654x-9q7r-g966
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6wyz-uw9f-uufq
12
url VCID-81tn-964g-nqhe
vulnerability_id VCID-81tn-964g-nqhe
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34562
reference_id
reference_type
scores
0
value 0.00023
scoring_system epss
scoring_elements 0.06634
published_at 2026-06-13T12:55:00Z
1
value 0.00023
scoring_system epss
scoring_elements 0.06617
published_at 2026-06-14T12:55:00Z
2
value 0.00023
scoring_system epss
scoring_elements 0.06623
published_at 2026-06-11T12:55:00Z
3
value 0.00023
scoring_system epss
scoring_elements 0.06646
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34562
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34562
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34562
3
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
reference_id 0.31.0.0
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T19:48:03Z/
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
4
reference_url https://github.com/advisories/GHSA-v897-c6vq-6cr3
reference_id GHSA-v897-c6vq-6cr3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v897-c6vq-6cr3
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v897-c6vq-6cr3
reference_id GHSA-v897-c6vq-6cr3
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T19:48:03Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v897-c6vq-6cr3
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34562, GHSA-v897-c6vq-6cr3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-81tn-964g-nqhe
13
url VCID-8vsd-ed8b-57ec
vulnerability_id VCID-8vsd-ed8b-57ec
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Pages to navigation menus through the Menu Management functionality. Page-related data selected via the Pages section is stored server-side and rendered without proper output encoding. This stored payload is later rendered unsafely within administrative interfaces and public-facing navigation menus, leading to stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34564
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.06177
published_at 2026-06-12T12:55:00Z
1
value 0.00021
scoring_system epss
scoring_elements 0.06154
published_at 2026-06-14T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.06168
published_at 2026-06-13T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.06155
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34564
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34564
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34564
3
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
reference_id 0.31.0.0
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T13:53:15Z/
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
4
reference_url https://github.com/advisories/GHSA-g4pp-fhgf-8653
reference_id GHSA-g4pp-fhgf-8653
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g4pp-fhgf-8653
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-g4pp-fhgf-8653
reference_id GHSA-g4pp-fhgf-8653
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T13:53:15Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-g4pp-fhgf-8653
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34564, GHSA-g4pp-fhgf-8653
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8vsd-ed8b-57ec
14
url VCID-9hx2-c5ne-1yca
vulnerability_id VCID-9hx2-c5ne-1yca
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Posts to navigation menus through the Menu Management functionality. Post-related data selected via the Posts section is stored server-side and rendered without proper output encoding. These stored values are later rendered unsafely within administrative dashboards and public-facing navigation menus, resulting in stored DOM-based cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34565
reference_id
reference_type
scores
0
value 0.00058
scoring_system epss
scoring_elements 0.18557
published_at 2026-06-12T12:55:00Z
1
value 0.00058
scoring_system epss
scoring_elements 0.18553
published_at 2026-06-14T12:55:00Z
2
value 0.00058
scoring_system epss
scoring_elements 0.18575
published_at 2026-06-13T12:55:00Z
3
value 0.00058
scoring_system epss
scoring_elements 0.18393
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34565
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34565
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34565
3
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
reference_id 0.31.0.0
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:08:32Z/
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
4
reference_url https://github.com/advisories/GHSA-xgh5-w62m-8mpr
reference_id GHSA-xgh5-w62m-8mpr
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xgh5-w62m-8mpr
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xgh5-w62m-8mpr
reference_id GHSA-xgh5-w62m-8mpr
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:08:32Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xgh5-w62m-8mpr
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34565, GHSA-xgh5-w62m-8mpr
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9hx2-c5ne-1yca
15
url VCID-ahyj-sx5e-yfet
vulnerability_id VCID-ahyj-sx5e-yfet
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Mail Settings. Several configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This issue has been patched in version 0.31.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27599
reference_id
reference_type
scores
0
value 0.00034
scoring_system epss
scoring_elements 0.10579
published_at 2026-06-12T12:55:00Z
1
value 0.00034
scoring_system epss
scoring_elements 0.10555
published_at 2026-06-14T12:55:00Z
2
value 0.00034
scoring_system epss
scoring_elements 0.10523
published_at 2026-06-11T12:55:00Z
3
value 0.00034
scoring_system epss
scoring_elements 0.1058
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27599
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://mega.nz/file/KRNhUI6Q#NGC3Bow3RlnmdU1H2bGu1BGbpfIc-awi6IlvTp08V1s
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://mega.nz/file/KRNhUI6Q#NGC3Bow3RlnmdU1H2bGu1BGbpfIc-awi6IlvTp08V1s
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27599
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27599
4
reference_url https://github.com/advisories/GHSA-66m2-v9v9-95c3
reference_id GHSA-66m2-v9v9-95c3
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-66m2-v9v9-95c3
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-66m2-v9v9-95c3
reference_id GHSA-66m2-v9v9-95c3
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T14:08:02Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-66m2-v9v9-95c3
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
2
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-27599, GHSA-66m2-v9v9-95c3
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ahyj-sx5e-yfet
16
url VCID-bjpa-j4py-vubs
vulnerability_id VCID-bjpa-j4py-vubs
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog categories. An attacker can inject a malicious JavaScript payload into the category title field, which is then stored server-side. This stored payload is later rendered unsafely across public-facing blog category pages, administrative interfaces, and blog post views without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34569
reference_id
reference_type
scores
0
value 0.00058
scoring_system epss
scoring_elements 0.18575
published_at 2026-06-13T12:55:00Z
1
value 0.00058
scoring_system epss
scoring_elements 0.18553
published_at 2026-06-14T12:55:00Z
2
value 0.00058
scoring_system epss
scoring_elements 0.18557
published_at 2026-06-12T12:55:00Z
3
value 0.00058
scoring_system epss
scoring_elements 0.18393
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34569
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34569
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34569
3
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
reference_id 0.31.0.0
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:04:54Z/
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
4
reference_url https://github.com/advisories/GHSA-fhrf-q333-82fm
reference_id GHSA-fhrf-q333-82fm
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fhrf-q333-82fm
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fhrf-q333-82fm
reference_id GHSA-fhrf-q333-82fm
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:04:54Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fhrf-q333-82fm
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34569, GHSA-fhrf-q333-82fm
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bjpa-j4py-vubs
17
url VCID-bnux-7fjj-mua5
vulnerability_id VCID-bnux-7fjj-mua5
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are later rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). This issue has been patched in version 0.31.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34558
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07352
published_at 2026-06-13T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.0735
published_at 2026-06-14T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07317
published_at 2026-06-11T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07359
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34558
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34558
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34558
3
reference_url https://github.com/advisories/GHSA-v77r-xg3p-75g7
reference_id GHSA-v77r-xg3p-75g7
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v77r-xg3p-75g7
4
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v77r-xg3p-75g7
reference_id GHSA-v77r-xg3p-75g7
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T15:25:04Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-v77r-xg3p-75g7
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34558, GHSA-v77r-xg3p-75g7
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bnux-7fjj-mua5
18
url VCID-dq3s-2u24-skhq
vulnerability_id VCID-dq3s-2u24-skhq
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41201
reference_id
reference_type
scores
0
value 0.00063
scoring_system epss
scoring_elements 0.199
published_at 2026-06-12T12:55:00Z
1
value 0.00063
scoring_system epss
scoring_elements 0.19893
published_at 2026-06-14T12:55:00Z
2
value 0.00063
scoring_system epss
scoring_elements 0.19725
published_at 2026-06-11T12:55:00Z
3
value 0.00063
scoring_system epss
scoring_elements 0.19916
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41201
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41201
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41201
3
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0
reference_id 0.31.5.0
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T14:07:25Z/
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0
4
reference_url https://github.com/advisories/GHSA-qxpq-82f3-xj47
reference_id GHSA-qxpq-82f3-xj47
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qxpq-82f3-xj47
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-qxpq-82f3-xj47
reference_id GHSA-qxpq-82f3-xj47
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T14:07:25Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-qxpq-82f3-xj47
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.5
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-28yh-hjbw-w7ce
1
vulnerability VCID-48sm-mr7f-ducd
2
vulnerability VCID-dsph-q7jr-qudx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0
2
url pkg:composer/ci4-cms-erp/ci4ms@0.31.5%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.5%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5%252B0
aliases CVE-2026-41201, GHSA-qxpq-82f3-xj47
risk_score 4.1
exploitability 0.5
weighted_severity 8.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dq3s-2u24-skhq
19
url VCID-dzem-3pkm-akgm
vulnerability_id VCID-dzem-3pkm-akgm
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34567
reference_id
reference_type
scores
0
value 0.00058
scoring_system epss
scoring_elements 0.18393
published_at 2026-06-11T12:55:00Z
1
value 0.00058
scoring_system epss
scoring_elements 0.18553
published_at 2026-06-14T12:55:00Z
2
value 0.00058
scoring_system epss
scoring_elements 0.18575
published_at 2026-06-13T12:55:00Z
3
value 0.00058
scoring_system epss
scoring_elements 0.18557
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34567
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r33w-c82v-x5v7
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-r33w-c82v-x5v7
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34567
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34567
4
reference_url https://github.com/advisories/GHSA-r33w-c82v-x5v7
reference_id GHSA-r33w-c82v-x5v7
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r33w-c82v-x5v7
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34567, GHSA-r33w-c82v-x5v7
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dzem-3pkm-akgm
20
url VCID-eda1-ec29-67h4
vulnerability_id VCID-eda1-ec29-67h4
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts. An attacker can inject a malicious JavaScript payload into blog post content, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). This issue has been patched in version 0.31.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34568
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.06177
published_at 2026-06-12T12:55:00Z
1
value 0.00021
scoring_system epss
scoring_elements 0.06154
published_at 2026-06-14T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.06168
published_at 2026-06-13T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.06155
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34568
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34568
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34568
3
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
reference_id 0.31.0.0
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T13:51:46Z/
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
4
reference_url https://github.com/advisories/GHSA-x7wh-g25g-53vg
reference_id GHSA-x7wh-g25g-53vg
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x7wh-g25g-53vg
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x7wh-g25g-53vg
reference_id GHSA-x7wh-g25g-53vg
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T13:51:46Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-x7wh-g25g-53vg
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34568, GHSA-x7wh-g25g-53vg
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-eda1-ec29-67h4
21
url VCID-fu8m-c32c-8kam
vulnerability_id VCID-fu8m-c32c-8kam
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within group and role management functionality. Multiple input fields (three distinct group-related fields) can be injected with malicious JavaScript payloads, which are then stored server-side. These stored payloads are later rendered unsafely within privileged administrative views without proper output encoding, leading to stored cross-site scripting (XSS) within the role and permission management context. This issue has been patched in version 0.31.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34557
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07352
published_at 2026-06-13T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.0735
published_at 2026-06-14T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07317
published_at 2026-06-11T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07359
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34557
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34557
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34557
3
reference_url https://github.com/advisories/GHSA-rpjr-985c-qhvm
reference_id GHSA-rpjr-985c-qhvm
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rpjr-985c-qhvm
4
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-rpjr-985c-qhvm
reference_id GHSA-rpjr-985c-qhvm
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:10:40Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-rpjr-985c-qhvm
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34557, GHSA-rpjr-985c-qhvm
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fu8m-c32c-8kam
22
url VCID-j55m-zv1d-17d1
vulnerability_id VCID-j55m-zv1d-17d1
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.2.0, the application fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. These values are persisted in the database and rendered unsafely on public-facing pages only, such as the main landing page. There is no execution in the administrative dashboard—the vulnerability only impacts the public frontend. This vulnerability is fixed in 0.31.2.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-35035
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05955
published_at 2026-06-12T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05933
published_at 2026-06-11T12:55:00Z
2
value 0.00024
scoring_system epss
scoring_elements 0.06999
published_at 2026-06-14T12:55:00Z
3
value 0.00024
scoring_system epss
scoring_elements 0.07007
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-35035
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.2.0
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.2.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-35035
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-35035
4
reference_url https://github.com/advisories/GHSA-5ghq-42rg-769x
reference_id GHSA-5ghq-42rg-769x
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5ghq-42rg-769x
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5ghq-42rg-769x
reference_id GHSA-5ghq-42rg-769x
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T15:46:26Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5ghq-42rg-769x
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.2
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.2
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.2.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-dsph-q7jr-qudx
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.2.0
2
url pkg:composer/ci4-cms-erp/ci4ms@0.31.2%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.2%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.2%252B0
aliases CVE-2026-35035, GHSA-5ghq-42rg-769x
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j55m-zv1d-17d1
23
url VCID-kywk-3uny-eydr
vulnerability_id VCID-kywk-3uny-eydr
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist (ban) note parameter in UserController::ajax_blackList_post() is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other admin who views the user management page. This vulnerability is fixed in 0.31.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-39391
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.0246
published_at 2026-06-13T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02467
published_at 2026-06-11T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02469
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-39391
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-39391
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-39391
4
reference_url https://github.com/advisories/GHSA-7cm9-v848-cfh2
reference_id GHSA-7cm9-v848-cfh2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7cm9-v848-cfh2
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-7cm9-v848-cfh2
reference_id GHSA-7cm9-v848-cfh2
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T15:18:05Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-7cm9-v848-cfh2
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-28yh-hjbw-w7ce
2
vulnerability VCID-48sm-mr7f-ducd
3
vulnerability VCID-dq3s-2u24-skhq
4
vulnerability VCID-dsph-q7jr-qudx
5
vulnerability VCID-tfxq-7v9w-p3ff
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
aliases CVE-2026-39391, GHSA-7cm9-v848-cfh2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kywk-3uny-eydr
24
url VCID-mpqf-b4wu-aua6
vulnerability_id VCID-mpqf-b4wu-aua6
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25510
reference_id
reference_type
scores
0
value 0.00183
scoring_system epss
scoring_elements 0.40034
published_at 2026-06-14T12:55:00Z
1
value 0.00183
scoring_system epss
scoring_elements 0.39852
published_at 2026-06-11T12:55:00Z
2
value 0.00183
scoring_system epss
scoring_elements 0.40022
published_at 2026-06-12T12:55:00Z
3
value 0.00183
scoring_system epss
scoring_elements 0.40044
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25510
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653
reference_id 86be2930d1c54eb7575102563302b2f3bafcb653
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T16:28:51Z/
url https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25510
reference_id CVE-2026-25510
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25510
4
reference_url https://github.com/advisories/GHSA-gp56-f67f-m4px
reference_id GHSA-gp56-f67f-m4px
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gp56-f67f-m4px
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px
reference_id GHSA-gp56-f67f-m4px
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T16:28:51Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.28.5%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.28.5%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.28.5%252B0
aliases CVE-2026-25510, GHSA-gp56-f67f-m4px
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mpqf-b4wu-aua6
25
url VCID-pnx8-75mz-w7ab
vulnerability_id VCID-pnx8-75mz-w7ab
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deleted accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access. This issue has been patched in version 0.31.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34570
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.1304
published_at 2026-06-14T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.13062
published_at 2026-06-13T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.13052
published_at 2026-06-12T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12957
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34570
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34570
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34570
3
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
reference_id 0.31.0.0
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-03T16:40:59Z/
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
4
reference_url https://github.com/advisories/GHSA-4vxv-4xq4-p84h
reference_id GHSA-4vxv-4xq4-p84h
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4vxv-4xq4-p84h
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4vxv-4xq4-p84h
reference_id GHSA-4vxv-4xq4-p84h
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-03T16:40:59Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4vxv-4xq4-p84h
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34570, GHSA-4vxv-4xq4-p84h
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pnx8-75mz-w7ab
26
url VCID-qg51-wxa8-1ubu
vulnerability_id VCID-qg51-wxa8-1ubu
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34559
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.06177
published_at 2026-06-12T12:55:00Z
1
value 0.00021
scoring_system epss
scoring_elements 0.06155
published_at 2026-06-11T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.06154
published_at 2026-06-14T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.06168
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34559
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-4333-387x-w245
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34559
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34559
4
reference_url https://github.com/advisories/GHSA-4333-387x-w245
reference_id GHSA-4333-387x-w245
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4333-387x-w245
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34559, GHSA-4333-387x-w245
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qg51-wxa8-1ubu
27
url VCID-s3vf-jvpc-77a6
vulnerability_id VCID-s3vf-jvpc-77a6
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the backend design, account state changes are enforced only during authentication (login), not for already-established sessions. The system implicitly assumes that authenticated users remain trusted for the lifetime of their session. There is no session expiration or account expiration mechanism in place, causing deactivated accounts to retain indefinite access until the user manually logs out. This behavior breaks the intended access control policy and results in persistent unauthorized access, representing a critical security flaw. This issue has been patched in version 0.31.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34572
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12957
published_at 2026-06-11T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.1304
published_at 2026-06-14T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.13052
published_at 2026-06-12T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.13062
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34572
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34572
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34572
3
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
reference_id 0.31.0.0
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T13:51:06Z/
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0
4
reference_url https://github.com/advisories/GHSA-8fq3-c5w3-pj3q
reference_id GHSA-8fq3-c5w3-pj3q
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8fq3-c5w3-pj3q
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-8fq3-c5w3-pj3q
reference_id GHSA-8fq3-c5w3-pj3q
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T13:51:06Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-8fq3-c5w3-pj3q
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
2
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34572, GHSA-8fq3-c5w3-pj3q
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s3vf-jvpc-77a6
28
url VCID-sjer-5du4-3qft
vulnerability_id VCID-sjer-5du4-3qft
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34563
reference_id
reference_type
scores
0
value 0.00058
scoring_system epss
scoring_elements 0.18393
published_at 2026-06-11T12:55:00Z
1
value 0.00058
scoring_system epss
scoring_elements 0.18557
published_at 2026-06-12T12:55:00Z
2
value 0.00058
scoring_system epss
scoring_elements 0.18575
published_at 2026-06-13T12:55:00Z
3
value 0.00058
scoring_system epss
scoring_elements 0.18553
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34563
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-85m8-g393-jcxf
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-85m8-g393-jcxf
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34563
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34563
4
reference_url https://github.com/advisories/GHSA-85m8-g393-jcxf
reference_id GHSA-85m8-g393-jcxf
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-85m8-g393-jcxf
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0%252B0
2
url pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-11fm-qbca-63av
2
vulnerability VCID-1s93-2pus-xkax
3
vulnerability VCID-28yh-hjbw-w7ce
4
vulnerability VCID-2t9v-rkcs-tfej
5
vulnerability VCID-48sm-mr7f-ducd
6
vulnerability VCID-5nz8-yd66-eydx
7
vulnerability VCID-dq3s-2u24-skhq
8
vulnerability VCID-j55m-zv1d-17d1
9
vulnerability VCID-kywk-3uny-eydr
10
vulnerability VCID-tfxq-7v9w-p3ff
11
vulnerability VCID-ujj3-vskq-wqbd
12
vulnerability VCID-vpat-qnms-c3gb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.0.0
aliases CVE-2026-34563, GHSA-85m8-g393-jcxf
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sjer-5du4-3qft
29
url VCID-tfxq-7v9w-p3ff
vulnerability_id VCID-tfxq-7v9w-p3ff
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41203
reference_id
reference_type
scores
0
value 0.00534
scoring_system epss
scoring_elements 0.67936
published_at 2026-06-12T12:55:00Z
1
value 0.00534
scoring_system epss
scoring_elements 0.67944
published_at 2026-06-14T12:55:00Z
2
value 0.00534
scoring_system epss
scoring_elements 0.67847
published_at 2026-06-11T12:55:00Z
3
value 0.00534
scoring_system epss
scoring_elements 0.67948
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41203
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41203
reference_id
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41203
3
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0
reference_id 0.31.5.0
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T13:49:29Z/
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0
4
reference_url https://github.com/advisories/GHSA-xv3r-vr59-95rg
reference_id GHSA-xv3r-vr59-95rg
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xv3r-vr59-95rg
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xv3r-vr59-95rg
reference_id GHSA-xv3r-vr59-95rg
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T13:49:29Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xv3r-vr59-95rg
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.5
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-28yh-hjbw-w7ce
1
vulnerability VCID-48sm-mr7f-ducd
2
vulnerability VCID-dsph-q7jr-qudx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5.0
2
url pkg:composer/ci4-cms-erp/ci4ms@0.31.5%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.5%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.5%252B0
aliases CVE-2026-41203, GHSA-xv3r-vr59-95rg
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tfxq-7v9w-p3ff
30
url VCID-ujj3-vskq-wqbd
vulnerability_id VCID-ujj3-vskq-wqbd
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the html_purify validation rule to content fields during create and update operations, while the Blog module does. Page content is stored unsanitized in the database and rendered as raw HTML on the public frontend via echo $pageInfo->content. An authenticated admin with page-editing privileges can inject arbitrary JavaScript that executes in the browser of every public visitor viewing the page. This vulnerability is fixed in 0.31.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-39392
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.0246
published_at 2026-06-13T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02467
published_at 2026-06-11T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02469
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-39392
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-39392
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-39392
4
reference_url https://github.com/advisories/GHSA-fjpj-6qcq-6pw2
reference_id GHSA-fjpj-6qcq-6pw2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fjpj-6qcq-6pw2
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fjpj-6qcq-6pw2
reference_id GHSA-fjpj-6qcq-6pw2
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:05:19Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fjpj-6qcq-6pw2
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-28yh-hjbw-w7ce
2
vulnerability VCID-48sm-mr7f-ducd
3
vulnerability VCID-dq3s-2u24-skhq
4
vulnerability VCID-dsph-q7jr-qudx
5
vulnerability VCID-tfxq-7v9w-p3ff
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
aliases CVE-2026-39392, GHSA-fjpj-6qcq-6pw2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ujj3-vskq-wqbd
31
url VCID-vpat-qnms-c3gb
vulnerability_id VCID-vpat-qnms-c3gb
summary CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings(), which writes it into the .env file via preg_replace(). Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration directives into the .env file. The install routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when cache('settings') is empty (cache expiry or fresh deployment). This vulnerability is fixed in 0.31.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-39394
reference_id
reference_type
scores
0
value 0.00032
scoring_system epss
scoring_elements 0.09921
published_at 2026-06-13T12:55:00Z
1
value 0.00032
scoring_system epss
scoring_elements 0.09907
published_at 2026-06-14T12:55:00Z
2
value 0.00032
scoring_system epss
scoring_elements 0.09868
published_at 2026-06-11T12:55:00Z
3
value 0.00032
scoring_system epss
scoring_elements 0.09916
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-39394
1
reference_url https://github.com/ci4-cms-erp/ci4ms
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms
2
reference_url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-39394
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-39394
4
reference_url https://github.com/advisories/GHSA-vfhx-5459-qhqh
reference_id GHSA-vfhx-5459-qhqh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vfhx-5459-qhqh
5
reference_url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vfhx-5459-qhqh
reference_id GHSA-vfhx-5459-qhqh
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-08T16:09:11Z/
url https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vfhx-5459-qhqh
fixed_packages
0
url pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.4%2B0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4%252B0
1
url pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
purl pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-11ah-ukzq-k7ch
1
vulnerability VCID-28yh-hjbw-w7ce
2
vulnerability VCID-48sm-mr7f-ducd
3
vulnerability VCID-dq3s-2u24-skhq
4
vulnerability VCID-dsph-q7jr-qudx
5
vulnerability VCID-tfxq-7v9w-p3ff
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.31.4.0
aliases CVE-2026-39394, GHSA-vfhx-5459-qhqh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vpat-qnms-c3gb
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/ci4-cms-erp/ci4ms@0.26.1.0