CVE-2026-45139: CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations

The Fileeditor module enforces an extension allowlist (['css','js','html','txt','json','sql','md']) on content-write operations (saveFile, createFile), but two destructive endpoints — deleteFileOrFolder and renameFile — never validate the extension of the source path. A backend user with file-editor permissions can therefore unlink or rename any file inside the project root that is not explicitly listed in the small $hiddenItems blocklist. Critical framework files such as app/Config/Routes.php, app/Config/App.php, app/Config/Database.php, app/Config/Filters.php, public/index.php, and public/.htaccess all live outside that blocklist and can be destroyed, producing a persistent denial of service that requires filesystem-level redeployment to recover.