CVE-2026-41890

Name of the Vulnerable Software and Affected Versions CI4MS versions 0.31.1.0 through 0.31.7.0

Description The deleteProcess() function in the /backend/themes/delete-process/{slug} endpoint fails to validate the tables[] POST parameter. An authenticated administrator can send a crafted request containing arbitrary table names, which are passed directly to the $forge->dropTable() function. This allows the user to delete any table within the database, regardless of whether it belongs to the theme being deleted. This flaw can lead to the loss of critical data, such as user identities and authentication tables, effectively disabling system access.

Recommendations Update to version 0.31.8.0. As a temporary workaround, restrict access to the deleteProcess() function to only the most trusted administrators until the update is applied.