EXECUTIVE SUMMARY:
CVE-2026-41587 with a CVSS score of 8.6 is a CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability affecting the ci4ms package in versions >= 0.26.0.0, <= 0.31.6.0, where an authenticated backend user with theme-upload permission can achieve remote code execution (RCE) by uploading a crafted ZIP file via the theme installation feature. An attacker can exploit this vulnerability by uploading a malicious ZIP file containing a PHP file with a file name that will be installed into the web-accessible public/ directory without extension or content filtering, making it directly executable via HTTP. This allows the attacker to gain OS-level command execution under the web server process, enabling data exfiltration, lateral movement, persistence, or full server compromise. Any deployment where a backend user has been granted theme upload permission is impacted, including superadmin accounts, which can be used for malicious activities. Prerequisites for exploitation include a backend account with theme upload permission and the ability to upload a malicious ZIP file via the theme upload feature.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-41587 with a CVSS score of 8.6 is a CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability affecting the ci4ms package in versions >= 0.26.0.0, <= 0.31.6.0, where an authenticated backend user with theme-upload permission can achieve remote code execution (RCE) by uploading a crafted ZIP file via the theme installation feature. An attacker can exploit this vulnerability by uploading a malicious ZIP file containing a PHP file with a file name that will be installed into the web-accessible public/ directory without extension or content filtering, making it directly executable via HTTP. This allows the attacker to gain OS-level command execution under the web server process, enabling data exfiltration, lateral movement, persistence, or full server compromise. Any deployment where a backend user has been granted theme upload permission is impacted, including superadmin accounts, which can be used for malicious activities. Prerequisites for exploitation include a backend account with theme upload permission and the ability to upload a malicious ZIP file via the theme upload feature.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update ci4ms to version 0.31.7.0.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-fw49-9xq4-gmx6