Platform
codeigniter
Component
ci4ms
Fixed in
0.31.5
CVE-2026-39389 describes a remote code execution (RCE) vulnerability present in CI4MS, a CodeIgniter 4-based CMS skeleton. This flaw allows an attacker to execute arbitrary code on a vulnerable system, potentially leading to complete compromise. The vulnerability impacts versions 0.0.0 through 0.31.3.0 and has been resolved in version 0.31.4.0.
Successful exploitation of CVE-2026-39389 could allow an attacker to gain complete control over the affected CI4MS instance. This includes the ability to modify files, install malware, steal sensitive data (such as user credentials or database information), and potentially pivot to other systems on the network. The impact is significant due to the potential for full system compromise and data exfiltration. Given the CMS nature of CI4MS, a successful attack could expose a large amount of data and disrupt website operations.
CVE-2026-39389 was publicly disclosed on 2026-04-08. The vulnerability's severity is currently assessed as medium. No public proof-of-concept (PoC) code has been released at the time of writing, but the RCE nature of the vulnerability suggests a high likelihood of exploitation if a PoC becomes available. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39389 is to immediately upgrade CI4MS to version 0.31.4.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the CMS admin panel and closely monitoring system logs for suspicious activity. While a WAF might offer some protection, it is not a substitute for patching. After upgrading, verify the fix by attempting to execute a known exploit payload and confirming that it is blocked.
Update CI4MS to version 0.31.4 or higher to fix the hidden items authorization bypass vulnerability. This update addresses the possibility of reading secrets and writing to protected files through the Fileeditor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39389 is a remote code execution vulnerability affecting CI4MS CMS versions 0.0.0 through 0.31.3.0, allowing attackers to execute arbitrary code on the server.
If you are using CI4MS CMS versions 0.0.0 through 0.31.3.0, you are potentially affected by this vulnerability. Upgrade to version 0.31.4.0 or later to mitigate the risk.
The recommended fix is to upgrade CI4MS CMS to version 0.31.4.0 or later. If upgrading is not immediately possible, implement temporary workarounds like restricting admin panel access.
While no public exploits are currently known, the RCE nature of the vulnerability suggests a potential for exploitation if a proof-of-concept is released.
Refer to the official CI4MS project repository and website for the latest security advisories and updates regarding CVE-2026-39389.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.