EXECUTIVE SUMMARY:
Two newly disclosed vulnerabilities affect the CI4MS content management / ERP platform. Both flaws stem from improper handling of uploaded ZIP archives, allowing Zip Slip path traversal attacks that let authenticated backend users write files outside intended directories. By placing malicious PHP files into the public web root, attackers can achieve remote code execution (RCE) and fully compromise the server. The vulnerabilities impact backup restoration and theme upload functions across affected releases. Immediate patching is strongly recommended. CVE-2026-41203 with a CVSS score of 9.4 – The theme upload feature in ci4ms is vulnerable to Zip Slip, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations and achieve remote code execution by dropping a PHP file under the public web root. An attacker can exploit this vulnerability by uploading a ZIP archive containing malicious files, such as a PHP shell. CVE-2026-41202 with a CVSS score of 9.4 – The backup restore feature in ci4ms is also vulnerable to Zip Slip, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations and achieve remote code execution by dropping a PHP file under the public web root. An attacker can exploit this vulnerability by submitting a ZIP archive containing malicious files to be restored.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Two newly disclosed vulnerabilities affect the CI4MS content management / ERP platform. Both flaws stem from improper handling of uploaded ZIP archives, allowing Zip Slip path traversal attacks that let authenticated backend users write files outside intended directories. By placing malicious PHP files into the public web root, attackers can achieve remote code execution (RCE) and fully compromise the server. The vulnerabilities impact backup restoration and theme upload functions across affected releases. Immediate patching is strongly recommended. CVE-2026-41203 with a CVSS score of 9.4 – The theme upload feature in ci4ms is vulnerable to Zip Slip, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations and achieve remote code execution by dropping a PHP file under the public web root. An attacker can exploit this vulnerability by uploading a ZIP archive containing malicious files, such as a PHP shell. CVE-2026-41202 with a CVSS score of 9.4 – The backup restore feature in ci4ms is also vulnerable to Zip Slip, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations and achieve remote code execution by dropping a PHP file under the public web root. An attacker can exploit this vulnerability by submitting a ZIP archive containing malicious files to be restored.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update ci4-cms-erp/ci4ms to below version: https://github.com/ci4-cms-erp/ci4ms/releases
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-xv3r-vr59-95rg
https://github.com/advisories/GHSA-xp9f-pvvc-57p4