CVE-2026-41587

Name of the Vulnerable Software and Affected Versions CI4MS versions 0.26.0.0 through 0.31.6.0

Description A theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files within the ZIP are installed into the web-accessible public/ directory without extension or content filtering, making them directly executable via HTTP. The issue occurs because the install theme from tmp() function is called unconditionally, and the helper function in modules/Theme/Helpers/themes helper.php copies files using rename() without an allowlist, MIME check, or content inspection. Specifically, the endpoint '/backend/themes/upload' is used to upload the file, and the theme name is derived from the filename. Files are also installed without filtering into app/Controllers/templates/, app/Libraries/templates/, and other app/ subdirectories.

Recommendations Update to version 0.31.7.0. As a temporary workaround, restrict access to the '/backend/themes/upload' endpoint or revoke theme-upload permissions for non-administrative users.