Home / Vulnerability Intelligence / CVE-2026-39394

CVE-2026-39394 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: April 8, 2026

CI4MS - Configuration Injection

Published: April 8, 2026Updated: April 8, 2026Remote Exploitable

Overview

CI4MS prior to 0.31.4.0 contains a configuration injection caused by unvalidated host POST parameter passed to updateEnvSettings() writing to .env file, letting attackers inject arbitrary config directives, exploit requires CSRF protection disabled and bypass of InstallFilter.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 1.6%(Probability of exploitation in next 30 days)

Impact

Attackers can inject arbitrary configuration directives into the .env file, potentially leading to system compromise or configuration manipulation.

Mitigation

Update to version 0.31.4.0 or later.

References

https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vfhx-5459-qhqh

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 9, 2026

🟠 CVE-2026-39394 - High (8.1) CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation a... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39394/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-39394
Severity: High
CVSS Score: 8.1
Type: undefined
Status: unconfirmed
EPSS: 1.6%
Social Posts: 1

CWE

CWE-93

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

1.6%Probability of exploitation in the next 30 days