Platform
php
Component
ci4-cms-erp/ci4ms
Fixed in
0.31.5
0.31.4.0
CVE-2026-39394 is a remote code execution (RCE) vulnerability affecting the ci4-cms-erp/ci4ms CMS ERP system. This vulnerability allows attackers to inject arbitrary configuration directives into the .env file, potentially granting them control over the application. The vulnerability impacts versions of ci4-cms-erp/ci4ms up to and including 0.31.3.0, and a fix is available in version 0.31.4.0.
The core of this vulnerability lies in the Install::index() controller's mishandling of the host POST parameter. This parameter is directly passed to updateEnvSettings() without proper validation, and subsequently used in a preg_replace() function to update the .env file. Crucially, newline characters within the host parameter are not stripped, enabling an attacker to inject arbitrary configuration directives. The install routes lack CSRF protection, and the InstallFilter can be bypassed if the cache('settings') is empty, further simplifying exploitation. Successful exploitation allows an attacker to modify critical application settings, potentially leading to complete system compromise, data exfiltration, or denial of service.
This vulnerability was publicly disclosed on 2026-04-08. No known public proof-of-concept (PoC) exists at this time, but the ease of exploitation, combined with the lack of CSRF protection on the install routes, suggests a moderate risk of exploitation. The vulnerability has not yet been added to the CISA KEV catalog. The ability to inject arbitrary configuration directives mirrors the impact of other configuration file manipulation vulnerabilities, potentially allowing for similar attack patterns.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
The primary mitigation is to immediately upgrade to version 0.31.4.0 or later, which addresses the vulnerability. If upgrading is not immediately feasible, consider implementing a temporary workaround by disabling the installation routes or implementing stricter input validation on the host parameter. While a direct WAF rule is difficult to implement due to the nature of the injection, monitoring for unusual modifications to the .env file can provide early detection. Review the application's caching configuration to ensure the cache('settings') is not frequently empty, preventing bypass of the InstallFilter.
Update to version 0.31.4 or higher to mitigate the vulnerability. This version fixes the lack of validation of the 'host' parameter in the Install controller, preventing the injection of arbitrary configurations into the .env file.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39394 is a remote code execution vulnerability in ci4-cms-erp/ci4ms versions up to 0.31.3.0, allowing attackers to inject configuration directives into the .env file.
You are affected if you are using ci4-cms-erp/ci4ms version 0.31.3.0 or earlier.
Upgrade to version 0.31.4.0 or later to remediate the vulnerability. As a temporary workaround, disable the installation routes or implement stricter input validation.
While no public exploits are currently known, the ease of exploitation suggests a potential risk.
Refer to the official ci4-cms-erp/ci4ms project repository or website for the latest security advisories.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.