CVE-2026-39394

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.4.0

Description CI4MS, a CodeIgniter 4-based CMS, is susceptible to arbitrary configuration injection via the .env file. The Install::index() controller does not validate the host POST parameter before passing it to updateEnvSettings(), which uses preg replace() to write the value into the .env file. The lack of newline stripping allows an attacker to inject arbitrary configuration directives. CSRF protection is disabled for install routes, and the InstallFilter can be bypassed when the application cache is empty. This could lead to application URL hijacking, security downgrades, session manipulation, and denial of service. The host parameter and the dbpassword field are vulnerable vectors. The app.baseURL parameter can be overridden, and the app.forceGlobalSecureRequests setting can be disabled. The vulnerability is exploitable via a malicious webpage visited by an administrator while the cache is empty.

Recommendations Add validation for the host parameter to reject newlines and restrict to valid hostnames/IPs. Sanitize all values in updateEnvSettings() to strip newlines from replacement strings. Add newline validation to the dbpassword field. Strengthen the InstallFilter to use a more reliable installation-complete indicator.