Skip to content
Threat Feed
high advisory

CI4MS Authenticated Remote Code Execution via Theme Upload

CI4MS versions 0.26.0.0 through 0.31.6.0 are vulnerable to remote code execution; an authenticated backend user with theme upload permissions can upload a crafted ZIP file containing a PHP file, which is then installed into the web-accessible public directory without filtering, allowing direct execution via HTTP.

CI4MS versions 0.26.0.0 through 0.31.6.0 are vulnerable to authenticated remote code execution. The vulnerability lies in the theme upload feature, where any authenticated backend user with theme-upload permissions can upload a crafted ZIP file. PHP files included in the uploaded ZIP are installed into a web-accessible directory without extension or content filtering. This allows attackers to execute arbitrary PHP code on the server by directly accessing the uploaded files via HTTP requests. The vulnerability was reported on April 29, 2026 and can lead to full server compromise if exploited.

Attack Chain

  1. An attacker gains valid credentials for a backend user account with theme upload permissions.
  2. The attacker crafts a malicious ZIP archive containing a PHP file (e.g., shell.php) with code to execute system commands via a GET parameter.
  3. The attacker uploads the malicious ZIP file (e.g., evil_theme.zip) through the /backend/themes/upload endpoint using a POST request with multipart/form-data.
  4. The application extracts the ZIP archive to a temporary directory.
  5. The application copies the PHP file from the temporary directory to the public/templates/evil/ directory using the rename() function, with no file type validation or content inspection.
  6. The attacker crafts an HTTP GET request targeting the uploaded PHP file (e.g., /templates/evil/shell.php?c=id).
  7. The web server executes the PHP code, running the system command specified in the ‘c’ parameter.
  8. The output of the executed command is returned in the HTTP response, granting the attacker remote code execution.

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server under the context of the web server user. This can be leveraged to achieve OS-level command execution, potentially leading to data exfiltration, lateral movement, persistence, or full server compromise. Any deployment where a backend user has been granted theme upload permission is vulnerable. While a superadmin already has full privileges, this vulnerability allows lower-privileged roles to escalate their access.

Recommendation

  • Apply the necessary patch or upgrade to a version of CI4MS beyond 0.31.6.0 to remediate CVE-2026-41587.
  • Monitor web server logs for suspicious HTTP requests targeting newly created directories under /templates/ with PHP file extensions to detect potential exploitation attempts. Create a rule to detect this.
  • Implement stricter file upload validation, including file extension allowlists, MIME type checking, and content inspection, to prevent the upload of malicious PHP files.

Detection coverage 2

Detect HTTP Request to Newly Created Theme Directory

high

Detects HTTP GET requests to PHP files within newly created theme directories, potentially indicating exploitation of the CI4MS theme upload vulnerability.

sigma tactics: execution techniques: T1505.003 sources: webserver, linux

Detect Upload of Suspicious ZIP Files via POST

medium

Detects a POST request to the theme upload endpoint with a zip file attachment, potentially indicating an attempt to upload a malicious theme.

sigma tactics: initial_access techniques: T1189 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →