CVE-2026-39394: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in ci4-cms-erp ci4ms
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings(), which writes it into the .env file via preg_replace(). Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration directives into the .env file. The install routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when cache('settings') is empty (cache expiry or fresh deployment). This vulnerability is fixed in 0.31.4.0.
AI Analysis
Technical Summary
The vulnerability arises from the Install::index() controller in ci4ms versions before 0.31.4.0, which accepts a host POST parameter without validation and writes it into the .env configuration file via preg_replace(). Because newline characters are not removed, an attacker can inject CRLF sequences to add arbitrary configuration directives. Additionally, the install routes lack CSRF protection, and the InstallFilter can be bypassed when the cache('settings') is empty, such as after cache expiry or fresh deployment. This allows an unauthenticated attacker to exploit the vulnerability remotely. The issue is addressed in ci4ms version 0.31.4.0.
Potential Impact
Successful exploitation allows an unauthenticated remote attacker to inject arbitrary configuration directives into the .env file, potentially leading to full compromise of confidentiality, integrity, and availability of the affected system. The CVSS score of 8.1 reflects high impact on confidentiality, integrity, and availability. The lack of CSRF protection on install routes and the ability to bypass InstallFilter under certain conditions increase the risk of exploitation.
Mitigation Recommendations
This vulnerability is fixed in ci4ms version 0.31.4.0. Users should upgrade to version 0.31.4.0 or later to remediate this issue. No official patch or temporary fix details are provided beyond upgrading. Until upgraded, restrict access to the install routes and ensure cache settings do not allow bypassing the InstallFilter. Patch status is not explicitly stated beyond the fix in version 0.31.4.0, so verify with vendor advisories for the latest remediation guidance.
CVE-2026-39394: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in ci4-cms-erp ci4ms
Description
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index() controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings(), which writes it into the .env file via preg_replace(). Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration directives into the .env file. The install routes have CSRF protection explicitly disabled, and the InstallFilter can be bypassed when cache('settings') is empty (cache expiry or fresh deployment). This vulnerability is fixed in 0.31.4.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from the Install::index() controller in ci4ms versions before 0.31.4.0, which accepts a host POST parameter without validation and writes it into the .env configuration file via preg_replace(). Because newline characters are not removed, an attacker can inject CRLF sequences to add arbitrary configuration directives. Additionally, the install routes lack CSRF protection, and the InstallFilter can be bypassed when the cache('settings') is empty, such as after cache expiry or fresh deployment. This allows an unauthenticated attacker to exploit the vulnerability remotely. The issue is addressed in ci4ms version 0.31.4.0.
Potential Impact
Successful exploitation allows an unauthenticated remote attacker to inject arbitrary configuration directives into the .env file, potentially leading to full compromise of confidentiality, integrity, and availability of the affected system. The CVSS score of 8.1 reflects high impact on confidentiality, integrity, and availability. The lack of CSRF protection on install routes and the ability to bypass InstallFilter under certain conditions increase the risk of exploitation.
Mitigation Recommendations
This vulnerability is fixed in ci4ms version 0.31.4.0. Users should upgrade to version 0.31.4.0 or later to remediate this issue. No official patch or temporary fix details are provided beyond upgrading. Until upgraded, restrict access to the install routes and ensure cache settings do not allow bypassing the InstallFilter. Patch status is not explicitly stated beyond the fix in version 0.31.4.0, so verify with vendor advisories for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-06T22:06:40.516Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d737041cc7ad14da41952e
Added to database: 4/9/2026, 5:20:04 AM
Last enriched: 4/9/2026, 5:27:18 AM
Last updated: 4/10/2026, 6:55:54 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.