Cyber Posture

CVE-2026-25510

CriticalPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0016 35.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file…

more

creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates unrestricted upload of dangerous PHP files by validating file inputs to prevent arbitrary code execution.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation through patching to version 0.28.5.0, eliminating the RCE vulnerability in file creation and save endpoints.

AC-6 Least Privilege partial match
prevent

Enforces least privilege to restrict file editor permissions, preventing authenticated users from accessing RCE-capable file upload functions unnecessarily.

Security SummaryAI

CVE-2026-25510 is a remote code execution (RCE) vulnerability in CI4MS, a CodeIgniter 4-based CMS skeleton providing production-ready modular architecture, RBAC authorization, and theme support. Versions prior to 0.28.5.0 are affected, where an authenticated user with file editor permissions can exploit the file creation and save endpoints to upload and execute arbitrary PHP code on the server. The flaw maps to CWE-94 (Code Injection) and CWE-434 (Unrestricted Upload of File with Dangerous Type), earning a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

An attacker must have valid credentials and file editor permissions to exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows remote execution of arbitrary PHP code, enabling high-impact compromise of confidentiality, integrity, and availability across the server's scope due to the changed scope (S:C).

The vulnerability has been patched in CI4MS version 0.28.5.0. Security practitioners should upgrade to this version immediately. Additional mitigation details are available in the GitHub security advisory at https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px and the patching commit at https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653.

Details

CWE(s)
CWE-94CWE-434

Affected Products

ci4-cms-erp
ci4ms
≤ 0.28.5.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

RCE via unrestricted file upload of arbitrary PHP code in a public-facing CMS web application directly enables T1190 (Exploit Public-Facing Application). The low-privilege (file editor) requirement to server-scope compromise facilitates T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References