Codeigniter4 Framework vulnerabilities
16 known vulnerabilities affecting codeigniter4/framework.
Total CVEs
16
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH8MEDIUM3LOW1
Vulnerabilities
Page 1 of 1
CVE-2022-21647P2HIGH≥ 0, < 4.1.62022-01-06
CVE-2022-21647 [HIGH] CWE-502 Deserialization of Untrusted Data in Codeigniter4
Deserialization of Untrusted Data in Codeigniter4
### Impact
Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4.
Remote attackers may inject auto-loadable arbitrary objects with this vulnerability,
and possibly execute existing PHP code on the server.
We are aware of a working exploit, which can lead to SQL injection.
### Patches
Upgrade to v4.1.6 or later.
### Workarounds
Do not u
ghsaosv
CVE-2025-54418P2CRITICAL≥ 0, < 4.6.22025-07-28
CVE-2025-54418 [CRITICAL] CWE-78 CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability
CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability
### Impact
This vulnerability affects applications that:
* Use the ImageMagick handler for image processing (`imagick` as the image library)
* **AND** either:
* Allow file uploads with user-controlled filenames and process uploaded images using the `resize()` method
* **OR** use the `text()` method with user-controlled tex
ghsaosv
CVE-2022-24711P3CRITICAL≥ 0, < 4.1.92022-03-01
CVE-2022-24711 [CRITICAL] CWE-20 Remote CLI Command Execution Vulnerability in CodeIgniter4
Remote CLI Command Execution Vulnerability in CodeIgniter4
### Impact
This vulnerability allows attackers to execute CLI routes via HTTP request.
### Patches
Upgrade to v4.1.9 or later.
### Workarounds
None.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [codeigniter4/CodeIgniter4](https://github.com/codeigniter4/CodeIgniter4/issues)
* Email us a
ghsaosv
CVE-2023-32692P3CRITICAL≥ 0, < 4.3.52023-05-22
CVE-2023-32692 [CRITICAL] CWE-94 Remote Code Execution Vulnerability in Validation Placeholders in CodeIgniter4
Remote Code Execution Vulnerability in Validation Placeholders in CodeIgniter4
### Impact
This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders.
The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also vulnerable because they use the Validation library internally.
### Pa
ghsaosv
CVE-2020-10793P3HIGH≥ 0, ≤ 4.0.02022-05-24
CVE-2020-10793 [HIGH] CWE-269 CodeIgniter Improper Privilege Management
CodeIgniter Improper Privilege Management
CodeIgniter through 4.0.0 allows remote attackers to gain privileges via a modified Email ID to the "Select Role of the User" page. NOTE: A contributor to the CodeIgniter framework argues that the issue should not be attributed to CodeIgniter. Furthermore, the blog post reference shows an unknown website built with the CodeIgniter framework but that CodeIgniter is not responsible fo
ghsaosv
CVE-2022-46170P3HIGH≥ 0, < 4.2.112022-12-22
CVE-2022-46170 [HIGH] CWE-287 CodeIgniter4 Potential Session Handlers Vulnerability
CodeIgniter4 Potential Session Handlers Vulnerability
### Impact
When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to `DatabaseHandler`, `MemcachedHandler`, or `RedisHandler`, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for
ghsaosv
CVE-2022-24712P3MEDIUM≥ 0, < 4.1.92022-03-01
CVE-2022-24712 [MEDIUM] CWE-352 Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability in CodeIgniter4
Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability in CodeIgniter4
### Impact
This vulnerability might allow remote attackers to bypass the CodeIgniter4 CSRF protection mechanism.
### Patches
Upgrade to v4.1.9 or later.
### Workarounds
These are workarounds for this vulnerability, but **you will still need to code as these after upgrading to v4.1.9**.
Otherwise, the
ghsaosv
CVE-2023-46240P3HIGH≥ 0, < 4.4.32023-10-30
CVE-2023-46240 [HIGH] CWE-209 CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment
CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment
### Impact
If an error or exception occurs in CodeIgniter4 v4.4.2 and earlier, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked.
### Patches
Upgrade to v4.4.
ghsaosv
CVE-2024-29904P3HIGH≥ 0, < 4.4.72024-03-29
CVE-2024-29904 [HIGH] CWE-674 CodeIgniter4 DoS Vulnerability
CodeIgniter4 DoS Vulnerability
### Impact
A vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server.
### Patches
Upgrade to v4.4.7 or later. See [upgrading guide](https://codeigniter4.github.io/userguide/installation/upgrade_447.html).
### Workarounds
- Disabling Auto Routing prevents a known attack vector in the fram
ghsaosv
CVE-2022-23556P3HIGH≥ 0, < 4.2.112022-12-22
CVE-2022-23556 [HIGH] CWE-345 CodeIgniter4 allows spoofing of IP address when using proxy
CodeIgniter4 allows spoofing of IP address when using proxy
### Impact
This vulnerability may allow attackers to spoof their IP address when your server is behind a reverse proxy.
### Patches
Upgrade to v4.2.11 or later, and configure `Config\App::$proxyIPs`.
### Workarounds
Do not use `$request->getIPAddress()`.
### References
- https://codeigniter4.github.io/userguide/incoming/request.html#CodeIgniter
ghsaosv
CVE-2017-1000247P3HIGH≥ 3.1.3, < 3.1.42022-05-17
CVE-2017-1000247 [HIGH] CWE-20 CodeIgniter HTTP Header Injection
CodeIgniter HTTP Header Injection
British Columbia Institute of Technology CodeIgniter 3.1.3 is vulnerable to HTTP Header Injection in the set_status_header() common function under Apache resulting in HTTP Header Injection flaws.
ghsaosv
CVE-2025-24013P4HIGHCVSS 7.5≥ 0, < 4.5.82025-01-21
CVE-2025-24013 [HIGH] CWE-436 Missing validation of header name and value in codeigniter4/framework
Missing validation of header name and value in codeigniter4/framework
### Impact
Lack of proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with `Header` class. This could disrupt application functionality, potentially causing errors or generating invalid HTTP requests. In some cases, these malformed requests might lead to a DoS sc
ghsaosv
CVE-2025-45406P4MEDIUM≥ 0, ≤ 4.6.22025-07-25
CVE-2025-45406 [MEDIUM] CWE-79 Withdrawn Advisory: CodeIgniter4 Cross-Site Scripting Vulnerability in debugbar_time Parameter
Withdrawn Advisory: CodeIgniter4 Cross-Site Scripting Vulnerability in debugbar_time Parameter
### Withdrawn Advisory
This advisory has been withdrawn because the original report was found to be invalid. This link is maintained to preserve external references. For more information, see https://github.com/github/advisory-database/pull/5862.
### Original Description
A sto
ghsa
CVE-2022-21715P4MEDIUM≥ 0, < 4.1.82022-01-27
CVE-2022-21715 [MEDIUM] CWE-79 Cross-site Scripting Vulnerability in CodeIgniter4
Cross-site Scripting Vulnerability in CodeIgniter4
### Impact
Cross-Site Scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4.
Attackers can do XSS attacks if you are using `API\ResponseTrait`.
### Patches
Upgrade to v4.1.8 or later.
### Workarounds
Do one of the following:
1. Do not use `API\ResponseTrait` nor `ResourceController`
2. Disable Auto Route and [Use Defined Routes Only](htt
ghsaosv
CVE-2022-39284P4LOW≥ 0, < 4.2.72022-10-06
CVE-2022-39284 [LOW] CWE-665 Codeigniter4's Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued
Codeigniter4's Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued
### Impact
Setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`.
> **Note**
> This vulnerability does not affect session cookies.
The following code does not issue a cookie with the secure flag even if
ghsaosv
CVE-2026-48062CRITICAL≥ 0, < 4.7.32026-06-11
CVE-2026-48062 [CRITICAL] CWE-434 CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule
CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule
### Impact
The `ext_in` upload validation rule checked the MIME-derived guessed extension instead of the client-provided filename extension. As a result, an uploaded file named `shell.php` containing GIF-like content could pass validation such as:
```
uploaded[avatar]|is_image[avatar]|mime_in
ghsa