ci4-cms-erp/ci4ms Security Advisories for 0.31.7.0 (5)
-
[HIGH] CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule
PKSA-cfx9-7tcq-n157 CVE-2026-45270 GHSA-gqr2-7hcg-rchf
Affected version: <=0.31.8.0
Reported by:
GitHub -
[MEDIUM] CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations
PKSA-x2rt-sj8n-h21z CVE-2026-45139 GHSA-245j-xjvr-xvm5
Affected version: <=0.31.8.0
Reported by:
GitHub -
[MEDIUM] CI4MS: Stored XSS in Blog Content via Broken `html_purify` Validation Rule
PKSA-7xbg-9dns-gxm5 CVE-2026-45138 GHSA-2m69-jmvh-6chr
Affected version: <=0.31.8.0
Reported by:
GitHub -
[MEDIUM] CI4MS has a Deactivated User Session Bypass (active=0)
PKSA-cf98-gsv6-bv96 CVE-2026-41891 GHSA-5hfv-c864-qcq9
Affected version: >=0.26.0,<=0.31.7.0
Reported by:
GitHub -
[MEDIUM] CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess
PKSA-kq1j-n47j-c2p7 CVE-2026-41890 GHSA-vgrf-pr28-vf98
Affected version: >=0.31.1.0,<=0.31.7.0
Reported by:
GitHub