SCA: security update for ci4-cms-erp/ci4ms (GHSA-gp56-f67f-m4px)

high Tenable Self-Hosted Container Security Plugin ID 437458

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with
RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor
permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an
attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version
0.28.5.0. (CVE-2026-25510)

See Also

https://github.com/advisories/GHSA-gp56-f67f-m4px

Plugin Details

Severity: High

ID: 437458

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 2/3/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.5

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-25510

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/2/2026

Vulnerability Publication Date: 2/2/2026

Reference Information

CVE: CVE-2026-25510