[HIGH] CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution

PKSA-gg2g-kjmj-cghy CVE-2026-41587 GHSA-fw49-9xq4-gmx6

Affected package: ci4-cms-erp/ci4ms

Affected version: >=0.26.0.0,<=0.31.6.0

Reported by:
GitHub