CVE-2026-25510 – This vulnerability allows authenticated users w... (How to Fix)

Q: What is the severity of CVE-2026-25510?

CVE-2026-25510 has a CVSS score of 9.9 (CRITICAL). This vulnerability allows authenticated users with file editor permissions in CI4MS to achieve remote code execution by uploading and executing arbitrary PHP code. It affects CI4MS versions prior to 0.28.5.0, putting any system using vulnerable versions at risk of complete server compromise.

📋 TL;DR

This vulnerability allows authenticated users with file editor permissions in CI4MS to achieve remote code execution by uploading and executing arbitrary PHP code. It affects CI4MS versions prior to 0.28.5.0, putting any system using vulnerable versions at risk of complete server compromise.

💻 Affected Systems

Products:

CI4MS (CodeIgniter 4-based CMS skeleton)

Versions: All versions prior to 0.28.5.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with file editor permissions; default installations with default permissions are vulnerable.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with attacker gaining full control over the web server, accessing sensitive data, and using the server as a pivot point for further attacks.

🟠

Likely Case

Attacker uploads web shell or backdoor, establishes persistent access, and exfiltrates sensitive data from the database and file system.

🟢

If Mitigated

Attack prevented by proper access controls and file upload restrictions, limiting impact to unauthorized file uploads without execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once file editor permissions are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.28.5.0

Vendor Advisory: https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px

Restart Required: No

Instructions:

1. Backup your current installation. 2. Update CI4MS to version 0.28.5.0 or later. 3. Verify the patch is applied by checking the commit 86be2930d1c54eb7575102563302b2f3bafcb653 is present.

🔧 Temporary Workarounds

Restrict File Editor Permissions

all

Temporarily remove or restrict file editor permissions from all users until patching can be completed.

Implement File Upload Restrictions

all

Add server-side validation to block PHP file uploads through the file creation endpoints.

🧯 If You Can't Patch

Immediately revoke file editor permissions from all non-essential users
Implement web application firewall rules to block PHP file uploads to the affected endpoints

🔍 How to Verify

Check if Vulnerable:

Check if your CI4MS version is below 0.28.5.0 and if file editor permissions are granted to any users.

Check Version:

Check the CI4MS configuration files or admin panel for version information

Verify Fix Applied:

Confirm version is 0.28.5.0 or higher and verify the security patch commit 86be2930d1c54eb7575102563302b2f3bafcb653 is present in your installation.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload activity to file creation endpoints
PHP file uploads by users with file editor permissions
Execution of unexpected PHP files in web directories

Network Indicators:

POST requests to file creation/save endpoints with PHP content
Unusual outbound connections from web server after file uploads

SIEM Query:

source="web_server" AND (uri_path="/file/create" OR uri_path="/file/save") AND file_extension="php"

📊 Metadata

CVE ID: CVE-2026-25510

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-94

Published: February 3, 2026

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25510, you might also want to check these: