pkg:Packagist/ci4-cms-erp/ci4ms

All known vulnerabilities

• CRITICAL9.9CVE-2026-34571CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise
  from 0, < 0.31.0.0
• CRITICAL9.9CVE-2026-34569CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
  from 0, < 0.31.0.0
• CRITICAL9.9CVE-2026-34563CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS
  from 0, < 0.31.0.0
• CRITICAL9.9CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor
  from 0, < 0.28.5.0
• CRITICAL9.1CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS
  from 0, < 0.31.2.0
• CRITICAL9.1CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
  from 0, < 0.31.0.0
• CRITICAL9.1CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
  from 0, < 0.31.0.0
• CRITICAL9.1CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
  from 0, < 0.31.0.0
• CRITICAL9.1CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
  from 0, < 0.31.0.0
• CRITICAL9.1CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
  from 0, < 0.31.0.0
• CRITICAL9.1CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
  from 0, < 0.31.0.0
• CRITICAL9.1CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
  from 0, < 0.31.0.0
• CRITICAL9.1CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
  from 0, < 0.31.0.0
• CRITICAL9.1CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
  from 0, < 0.31.0.0
• CRITICAL9.1CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
  from 0, < 0.31.0.0
• CRITICAL9.1ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
  from 0, < 0.31.0.0
• CRITICAL9.0CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
  from 0, < 31.0.0.0
• HIGH8.8CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
  from 0, < 0.31.0.0
• HIGH8.8CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
  from 0, < 0.31.0.0
• HIGH8.7CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule
  from 0, < 0.31.9.0
• HIGH8.1CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller
  from 0, < 0.31.4.0
• HIGH8.1CI4MS Vulnerable to Post-Installation Re-entry via Cache-Dependent Install Guard Bypass
  from 0, < 0.31.4.0
• MEDIUM6.8CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS
  from 0, < 0.31.5.0
• MEDIUM6.7CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files
  from 0, < 0.31.4.0
• MEDIUM6.5CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations
  from 0, < 0.31.9.0
• MEDIUM5.5CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization
  from 0, < 0.31.4.0
• MEDIUM5.5CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting
  from 0, < 0.31.4.0
• MEDIUM5.4CI4MS: Stored XSS in Blog Content via Broken `html_purify` Validation Rule
  from 0, < 0.31.9.0
• MEDIUM5.3CI4MS Vulnerable to User Email Enumeration via Password Reset Flow
  from 0, < 0.28.5.0
• MEDIUM4.8CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List
  from 0, < 0.31.4.0
• MEDIUM4.7CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
  from 0, < 0.31.0.0
• —CI4MS has a Deactivated User Session Bypass (active=0)
  >= 0.26.0, < 0.31.8.0
• —CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess
  >= 0.31.1.0, < 0.31.8.0
• —CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution
  >= 0.26.0.0, < 0.31.7.0
• —CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE
  from 0, < 0.31.5.0
• —CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE
  from 0, < 0.31.5.0