CVE-2026-41203

Name of the Vulnerable Software and Affected Versions CI4MS Theme (affected versions not specified)

Description The upload function in CI4MS Theme fails to validate entry names when extracting user-uploaded ZIP archives. This allows an authenticated backend user with theme create permissions to perform a Zip Slip attack, which is a directory traversal flaw during archive extraction. By uploading a specially crafted ZIP file containing entries like ../../public/shell.php, an attacker can write files to arbitrary filesystem locations, such as the public web root, leading to remote code execution. The issue exists in the upload() function within the 'modules/Theme/Controllers/Theme.php' file, specifically where ZipArchive::extractTo() is called without verifying that the entries resolve inside the intended destination. The affected API endpoint is 'POST backend/themes/themesUpload'.

Recommendations As a temporary workaround, restrict access to the 'POST backend/themes/themesUpload' endpoint or revoke the theme create permission for users until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.