Codeigniter4 vulnerabilities
12 known vulnerabilities affecting codeigniter4/codeigniter4.
Total CVEs
12
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH4MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2022-21647P2CRITICALCVSS 9.8fixed in 4.1.62022-01-04
CVE-2022-21647 [CRITICAL] CWE-502 CVE-2022-21647: CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was fo
CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injectio
nvd
CVE-2025-54418P2CRITICALCVSS 9.8fixed in 4.6.22025-07-28
CVE-2025-54418 [CRITICAL] CWE-78 CVE-2025-54418: CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions
CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior to 4.6.2 affects applications that use the ImageMagick handler for image processing (`imagick` as the image library) and either allow file uploads with user-controlled filenames and process uploaded images using the `resize()` method or use th
nvd
CVE-2022-24711P3CRITICALCVSS 9.8fixed in 4.1.92022-02-28
CVE-2022-24711 [CRITICAL] CWE-20 CVE-2022-24711: CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. Prior to version 4.1.
CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. Prior to version 4.1.9, an improper input validation vulnerability allows attackers to execute CLI routes via HTTP request. Version 4.1.9 contains a patch. There are currently no known workarounds for this vulnerability.
nvd
CVE-2023-32692P3CRITICALCVSS 9.8fixed in 4.3.52023-05-30
CVE-2023-32692 [CRITICAL] CWE-94 CVE-2023-32692: CodeIgniter is a PHP full-stack web framework. This vulnerability allows attackers to execute arbitr
CodeIgniter is a PHP full-stack web framework. This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders. The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also vulnerable because they use the Validation library internally. This issue is
nvd
CVE-2022-46170P3CRITICALCVSS 9.8fixed in 4.2.112022-12-22
CVE-2022-46170 [CRITICAL] CWE-287 CVE-2022-46170: CodeIgniter is a PHP full-stack web framework. When an application uses (1) multiple session cookies
CodeIgniter is a PHP full-stack web framework. When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to `DatabaseHandler`, `MemcachedHandler`, or `RedisHandler`, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access page
nvd
CVE-2022-24712P3HIGHCVSS 8.8fixed in 4.1.92022-02-28
CVE-2022-24712 [HIGH] CWE-352 CVE-2022-24712: CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in ve
CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in versions prior to 4.1.9 might allow remote attackers to bypass the CodeIgniter4 Cross-Site Request Forgery (CSRF) protection mechanism. Users should upgrade to version 4.1.9. There are workarounds for this vulnerability, but users will still need to code
nvd
CVE-2023-46240P3HIGHCVSS 7.5fixed in 4.4.32023-10-31
CVE-2023-46240 [HIGH] CWE-209 CVE-2023-46240: CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or e
CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('di
nvd
CVE-2024-29904P3HIGHCVSS 7.5fixed in 4.4.72024-03-29
CVE-2024-29904 [HIGH] CWE-835 CVE-2024-29904: CodeIgniter is a PHP full-stack web framework A vulnerability was found in the Language class that a
CodeIgniter is a PHP full-stack web framework A vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server. Upgrade to v4.4.7 or later.
nvd
CVE-2022-23556P3HIGHCVSS 7.5fixed in 4.2.112022-12-22
CVE-2022-23556 [HIGH] CWE-345 CVE-2022-23556: CodeIgniter is a PHP full-stack web framework. This vulnerability may allow attackers to spoof their
CodeIgniter is a PHP full-stack web framework. This vulnerability may allow attackers to spoof their IP address when the server is behind a reverse proxy. This issue has been patched, please upgrade to version 4.2.11 or later, and configure `Config\App::$proxyIPs`. As a workaround, do not use `$request->getIPAddress()`.
nvd
CVE-2025-24013P4MEDIUMCVSS 5.3fixed in 4.5.82025-01-20
CVE-2025-24013 [MEDIUM] CWE-436 CVE-2025-24013: CodeIgniter is a PHP full-stack web framework. Prior to 4.5.8, CodeIgniter lacked proper header vali
CodeIgniter is a PHP full-stack web framework. Prior to 4.5.8, CodeIgniter lacked proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with Header class. This could disrupt application functionality, potentially causing errors or generating invalid HTTP requests. In some cases, these ma
nvd
CVE-2022-21715P4MEDIUMCVSS 6.1fixed in 4.1.82022-01-24
CVE-2022-21715 [MEDIUM] CWE-79 CVE-2022-21715: CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scriptin
CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potenti
nvd
CVE-2022-39284P4MEDIUMCVSS 4.3fixed in 4.2.72022-10-06
CVE-2022-39284 [MEDIUM] CWE-665 CVE-2022-39284: CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$htt
CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does not affect session cookies. Users ar
nvd