pkg:Packagist/ci4-cms-erp/ci4ms

36 total CVEsCRITICAL17HIGH5MEDIUM9

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.9CVE-2026-34571CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise
    from 0, < 0.31.0.0
  • CRITICAL9.9CVE-2026-34569CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
    from 0, < 0.31.0.0
  • CRITICAL9.9CVE-2026-34563CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS
    from 0, < 0.31.0.0
  • CRITICAL9.9CVE-2026-25510CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor
    from 0, < 0.28.5.0
  • CRITICAL9.1CVE-2026-35035CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS
    from 0, < 0.31.2.0
  • CRITICAL9.1CVE-2026-34568CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
    from 0, < 0.31.0.0
  • CRITICAL9.1CVE-2026-34567CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
    from 0, < 0.31.0.0
  • CRITICAL9.1CVE-2026-34566CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
    from 0, < 0.31.0.0
  • CRITICAL9.1CVE-2026-34565CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
    from 0, < 0.31.0.0
  • CRITICAL9.1CVE-2026-34564CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
    from 0, < 0.31.0.0
  • CRITICAL9.1CVE-2026-34561CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
    from 0, < 0.31.0.0
  • CRITICAL9.1CVE-2026-34560CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
    from 0, < 0.31.0.0
  • CRITICAL9.1CVE-2026-34559CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
    from 0, < 0.31.0.0
  • CRITICAL9.1CVE-2026-34557CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
    from 0, < 0.31.0.0
  • CRITICAL9.1CVE-2026-34558CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
    from 0, < 0.31.0.0
  • CRITICAL9.1CVE-2026-27599ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
    from 0, < 0.31.0.0
  • CRITICAL9.0CVE-2026-34989CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
    from 0, < 31.0.0.0
  • HIGH8.8CVE-2026-34572CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
    from 0, < 0.31.0.0
  • HIGH8.8CVE-2026-34570CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
    from 0, < 0.31.0.0
  • HIGH8.7CVE-2026-45270CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule
    from 0, < 0.31.9.0
  • HIGH8.1CVE-2026-39394CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller
    from 0, < 0.31.4.0
  • HIGH8.1CVE-2026-39393CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass
    from 0, < 0.31.4.0
  • MEDIUM6.8CVE-2026-41201CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS
    from 0, < 0.31.5.0
  • MEDIUM6.7CVE-2026-39389CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files
    from 0, < 0.31.4.0
  • MEDIUM6.5CVE-2026-45139CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations
    from 0, < 0.31.9.0
  • MEDIUM5.5CVE-2026-39392CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization
    from 0, < 0.31.4.0
  • MEDIUM5.5CVE-2026-39390CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting
    from 0, < 0.31.4.0
  • MEDIUM5.4CVE-2026-45138CI4MS: Stored XSS in Blog Content via Broken `html_purify` Validation Rule
    from 0, < 0.31.9.0
  • MEDIUM5.3CVE-2026-25509CI4MS Vulnerable to User Email Enumeration via Password Reset Flow
    from 0, < 0.28.5.0
  • MEDIUM4.8CVE-2026-39391CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List
    from 0, < 0.31.4.0
  • MEDIUM4.7CVE-2026-34562CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
    from 0, < 0.31.0.0
  • CVE-2026-41891CI4MS has a Deactivated User Session Bypass (active=0)
    >= 0.26.0, < 0.31.8.0
  • CVE-2026-41890CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess
    >= 0.31.1.0, < 0.31.8.0
  • CVE-2026-41587CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution
    >= 0.26.0.0, < 0.31.7.0
  • CVE-2026-41203CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE
    from 0, < 0.31.5.0
  • CVE-2026-41202CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE
    from 0, < 0.31.5.0