CVE-2026-41203: CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE

April 22, 2026 (updated May 8, 2026)

ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root.

References

github.com/advisories/GHSA-xv3r-vr59-95rg
github.com/ci4-cms-erp/ci4ms
github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0
github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xv3r-vr59-95rg
nvd.nist.gov/vuln/detail/CVE-2026-41203

Code Behaviors & Features

Detect and mitigate CVE-2026-41203 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →