CVE-2026-41203 Overview
CVE-2026-41203 is a path traversal vulnerability [CWE-22] in CI4MS, a CodeIgniter 4-based content management system skeleton with role-based access control (RBAC) and theme support. The flaw resides in the Theme::upload function, which extracts user-supplied ZIP archives without validating entry names. An authenticated backend user holding the theme create permission can craft a malicious archive containing path traversal sequences to write files outside the intended theme directory. Attackers can drop a PHP file under the public web root and achieve remote code execution. The issue affects all CI4MS releases prior to version 0.31.5.0 and is patched in that release.
Critical Impact
A backend user with theme create rights can chain Zip Slip extraction with PHP execution under the web root to gain full remote code execution on the host.
Affected Products
- CI4MS (ci4-cms-erp/ci4ms) versions prior to 0.31.5.0
- Deployments exposing the backend theme upload feature to authenticated users
- CodeIgniter 4 applications built on the CI4MS skeleton
Discovery Timeline
- 2026-05-07 - CVE-2026-41203 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-41203
Vulnerability Analysis
CI4MS provides a backend feature that lets privileged users install new themes by uploading a ZIP archive. The Theme::upload method extracts each entry of the archive directly to the filesystem without normalizing or validating entry names. An attacker can include archive entries with relative path components such as ../ to escape the theme directory and write to arbitrary destinations the PHP process can reach.
When the destination falls inside the public web root, the attacker can place a .php file that the web server will execute on the next request. Because the application uses RBAC, only users granted the theme create permission can reach the upload endpoint, but that permission is commonly delegated to non-administrative roles in CMS deployments.
Root Cause
The root cause is missing validation of ZIP entry names during extraction. The extraction routine concatenates the destination directory with the archive entry name and writes file contents without resolving the result against the intended base directory or rejecting entries containing .. segments or absolute paths.
Attack Vector
Exploitation requires network access to the CI4MS backend and an authenticated session with the theme create permission. The attacker uploads a crafted ZIP archive whose entries traverse out of the theme directory and land in a web-accessible location. Requesting the dropped PHP file from the public web root then executes attacker-controlled code with the privileges of the web server process. Refer to the GitHub Security Advisory GHSA-xv3r-vr59-95rg for vendor technical details.
Detection Methods for CVE-2026-41203
Indicators of Compromise
- Unexpected .php files appearing under the public/ web root or theme asset directories shortly after a theme upload event.
- Audit log entries showing theme uploads from non-administrative accounts followed by HTTP requests to newly created PHP files.
- ZIP archive entries containing ../ sequences or absolute paths captured in upload logs.
Detection Strategies
- Inspect the contents of uploaded archives at the application or web application firewall layer and reject entries whose normalized path escapes the destination directory.
- Monitor file integrity on the public web root and theme directories for new or modified PHP files outside expected deployment workflows.
- Correlate authenticated theme upload requests with subsequent execution of newly created PHP scripts to surface post-exploitation activity.
Monitoring Recommendations
- Alert on writes to web-accessible directories that originate from the PHP-FPM or web server user outside scheduled deployments.
- Track outbound network connections from the web server process that follow theme upload events to detect command-and-control activity.
- Review backend RBAC assignments and flag accounts that hold theme create permissions but do not require them for daily operations.
How to Mitigate CVE-2026-41203
Immediate Actions Required
- Upgrade CI4MS to version 0.31.5.0 or later, which patches the Theme::upload extraction logic.
- Audit all backend accounts and revoke the theme create permission from users who do not require it.
- Review theme directories and the public web root for unauthorized PHP files and remove any artifacts attributable to recent uploads.
Patch Information
The maintainers fixed the issue in CI4MS release 0.31.5.0. The patch adds validation of archive entry names so that extracted files are constrained to the intended theme directory. Administrators should upgrade and then rotate any credentials that were valid on the host while the vulnerable version was deployed.
Workarounds
- Disable the theme upload feature or restrict its route to trusted administrators until the upgrade is applied.
- Place the application behind a web application firewall rule that inspects multipart uploads for ZIP archives containing .. traversal sequences.
- Configure the web server to deny PHP execution in theme asset directories where only static files are expected.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
