Plataforma
codeigniter
Componente
ci4ms
Corrigido em
0.31.5
CVE-2026-39389 describes a remote code execution (RCE) vulnerability present in CI4MS, a CodeIgniter 4-based CMS skeleton. This flaw allows an attacker to execute arbitrary code on a vulnerable system, potentially leading to complete compromise. The vulnerability impacts versions 0.0.0 through 0.31.3.0 and has been resolved in version 0.31.4.0.
Successful exploitation of CVE-2026-39389 could allow an attacker to gain complete control over the affected CI4MS instance. This includes the ability to modify files, install malware, steal sensitive data (such as user credentials or database information), and potentially pivot to other systems on the network. The impact is significant due to the potential for full system compromise and data exfiltration. Given the CMS nature of CI4MS, a successful attack could expose a large amount of data and disrupt website operations.
CVE-2026-39389 was publicly disclosed on 2026-04-08. The vulnerability's severity is currently assessed as medium. No public proof-of-concept (PoC) code has been released at the time of writing, but the RCE nature of the vulnerability suggests a high likelihood of exploitation if a PoC becomes available. It is not currently listed on the CISA KEV catalog.
Organizations and individuals using CI4MS CMS versions 0.0.0 through 0.31.3.0 are at risk. This includes websites and applications built on the CI4MS framework, particularly those with publicly accessible admin panels or vulnerable configurations. Shared hosting environments running CI4MS are also at increased risk due to potential cross-site contamination.
• codeigniter / server:
find /var/www/ci4ms -type f -name '*.php' -print0 | xargs -0 grep -i 'system/index.php'• generic web:
curl -I https://your-ci4ms-site.com/ | grep Server• wordpress / composer / npm: N/A
• database (mysql, redis, mongodb, postgresql): N/A
• windows / supply-chain: N/A
• linux / server: Monitor system logs (e.g., /var/log/apache2/error.log) for unusual PHP errors or requests related to CI4MS.
disclosure
Status do Exploit
EPSS
0.02% (percentil 4%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-39389 is to immediately upgrade CI4MS to version 0.31.4.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the CMS admin panel and closely monitoring system logs for suspicious activity. While a WAF might offer some protection, it is not a substitute for patching. After upgrading, verify the fix by attempting to execute a known exploit payload and confirming that it is blocked.
Actualice CI4MS a la versión 0.31.4 o superior para corregir la vulnerabilidad de bypass de autorización de elementos ocultos. Esta actualización aborda la posibilidad de leer secretos y escribir en archivos protegidos a través del Fileeditor.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-39389 is a remote code execution vulnerability affecting CI4MS CMS versions 0.0.0 through 0.31.3.0, allowing attackers to execute arbitrary code on the server.
If you are using CI4MS CMS versions 0.0.0 through 0.31.3.0, you are potentially affected by this vulnerability. Upgrade to version 0.31.4.0 or later to mitigate the risk.
The recommended fix is to upgrade CI4MS CMS to version 0.31.4.0 or later. If upgrading is not immediately possible, implement temporary workarounds like restricting admin panel access.
While no public exploits are currently known, the RCE nature of the vulnerability suggests a potential for exploitation if a proof-of-concept is released.
Refer to the official CI4MS project repository and website for the latest security advisories and updates regarding CVE-2026-39389.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.