CVE-2026-25509

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.28.5.0

Description CI4MS, a CodeIgniter 4-based CMS skeleton, contains a flaw in its authentication implementation that allows an unauthenticated attacker to determine if an email address is registered within the system. This is achieved by observing the application’s response during the password reset process. The affected system delivers a production-ready, modular architecture with RBAC authorization and theme support.

Recommendations Update to version 0.28.5.0 or later.