CVE-2026-41202: CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE

April 22, 2026 (updated May 8, 2026)

ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root.

References

github.com/advisories/GHSA-xp9f-pvvc-57p4
github.com/ci4-cms-erp/ci4ms
github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0
github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xp9f-pvvc-57p4
nvd.nist.gov/vuln/detail/CVE-2026-41202

Code Behaviors & Features

Detect and mitigate CVE-2026-41202 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →