๐Ÿ” CVE Alert

CVE-2026-48062

CRITICAL 9.8

CodeIgniter: Uploaded file extension validation bypass in `ext_in` rule

CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th

CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in upload validation rule in system/Validation/StrictRules/FileRules.php checked the MIME-derived guessed extension instead of the client-provided filename extension. As a result, an uploaded file named shell.php containing GIF-like content could pass validation such as uploaded[avatar]|is_image[avatar]|mime_in[avatar,image/gif]|ext_in[avatar,gif] because the detected MIME type maps to gif, even though the uploaded filename extension is php. Applications are impacted if they accept user-controlled uploads, rely on ext_in to validate the uploaded filename extension, save uploaded files using the original client filename with $file->move($path), store uploads in a web-accessible directory, and allow PHP or other executable files to run from that directory. In those conditions, this may lead to arbitrary code execution. This issue is fixed in version 4.7.3.

CWE CWE-434
Vendor codeigniter4
Product codeigniter4
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for codeigniter4 codeigniter4

Be the first to know when new critical vulnerabilities affecting codeigniter4 codeigniter4 are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

codeigniter4 / CodeIgniter4
< 4.7.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-2gr4-ppc7-7mhx github.com: https://github.com/codeigniter4/CodeIgniter4/commit/29299349e7d232e9532767c7cefaed30957309be github.com: https://github.com/codeigniter4/CodeIgniter4/releases/tag/v4.7.3