Support Us — Your donation helps us keep running

Goal: 1000 CNY,Raised: 1000 CNY

100.0%
Donate Now

ci4ms — Vulnerabilities & Security Advisories 27

All 27 CVE vulnerabilities found in ci4ms, with AI-generated Chinese analysis, references, and POCs.

Vendor: ci4-cms-erp

CVE IDTitleCVSSSeverityPaused
CVE-2026-39394 CI4MS has an .env CRLF Injection via Unvalidated `host` Parameter in Install Controller CWE-93 8.1 High2026-04-08
CVE-2026-39393 Post-Installation Re-entry via Cache-Dependent Install Guard Bypass in ci4ms CWE-306 8.1 High2026-04-08
CVE-2026-39392 CI4MS has Stored XSS in Pages Content Due to Missing html_purify Sanitization CWE-79 5.5 Medium2026-04-08
CVE-2026-39391 CI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List CWE-79 4.8 Medium2026-04-08
CVE-2026-39390 CI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting CWE-79 5.5 Medium2026-04-08
CVE-2026-39389 CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files CWE-285 6.7 Medium2026-04-08
CVE-2026-35035 CI4MS Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS CWE-79 7.2 High2026-04-06
CVE-2026-34989 CI4MS affected by Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 5.4AIMediumAI2026-04-06
CVE-2026-34572 CI4MS: Account Deactivation Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) CWE-284 8.8 High2026-04-01
CVE-2026-34571 CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise CWE-79 10.0 Critical2026-04-01
CVE-2026-34570 CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) CWE-284 8.8 High2026-04-01
CVE-2026-34569 CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 10.0 Critical2026-04-01
CVE-2026-34568 CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34567 CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34566 CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34565 CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34564 CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34563 CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34562 CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 4.7 Medium2026-04-01
CVE-2026-34561 CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 4.7 Medium2026-04-01
CVE-2026-34560 CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34559 CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-04-01
CVE-2026-34558 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-03-30
CVE-2026-34557 CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 9.1 Critical2026-03-30
CVE-2026-27599 CI4MS: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS CWE-79 4.7 Medium2026-03-30
CVE-2026-25510 CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor CWE-434 10.0 Critical2026-02-03
CVE-2026-25509 CI4MS Vulnerable to User Email Enumeration via Password Reset Flow CWE-204 5.3 Medium2026-02-03

All 27 known CVE vulnerabilities affecting ci4ms with full Chinese analysis, references, and POCs where available.