External Control of File Name or Path Affecting ci4-cms-erp/ci4ms package, versions <0.31.9.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-CI4CMSERPCI4MS-16755468
- published19 May 2026
- disclosed18 May 2026
- creditoffset
Introduced: 18 May 2026
NewCVE-2026-45139 (opens in a new tab)How to fix?
Upgrade ci4-cms-erp/ci4ms to version 0.31.9.0 or higher.
Overview
ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms
Affected versions of this package are vulnerable to External Control of File Name or Path through the deleteFileOrFolder and renameFile processes. An attacker can remove or rename critical application files by sending crafted requests to these endpoints with paths to files outside the intended allowlist. This can result in persistent disruption of the application, requiring filesystem-level intervention to restore functionality. This is only exploitable if the attacker has authenticated backend access with the fileeditor.delete or fileeditor.update permission.