{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T08:58:06.537","vulnerabilities":[{"cve":{"id":"CVE-2026-25510","sourceIdentifier":"security-advisories@github.com","published":"2026-02-03T22:16:31.587","lastModified":"2026-02-10T18:41:41.270","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0."},{"lang":"es","value":"CI4MS es un esqueleto de CMS basado en CodeIgniter 4 que ofrece una arquitectura modular, lista para producción, con autorización RBAC y soporte de temas. Antes de la versión 0.28.5.0, un usuario autenticado con permisos de editor de archivos puede lograr Ejecución Remota de Código (RCE) al aprovechar los puntos finales de creación y guardado de archivos; un atacante puede cargar y ejecutar código PHP arbitrario en el servidor. Este problema ha sido parcheado en la versión 0.28.5.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-94"},{"lang":"en","value":"CWE-434"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-434"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ci4-cms-erp:ci4ms:*:*:*:*:*:*:*:*","versionEndExcluding":"0.28.5.0","matchCriteriaId":"AF5BFA71-5A9A-4ADF-ACD4-5E3B6FAB1DBE"}]}]}],"references":[{"url":"https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}