CVE-2026-48062
codeigniter4 · CodeIgniter4
A file upload validation bypass in CodeIgniter4 allows attackers to upload executable PHP files by manipulating MIME-derived extensions.
Executive summary
A critical vulnerability in the CodeIgniter4 file upload validation mechanism allows unauthenticated attackers to bypass security checks and potentially execute arbitrary code.
Vulnerability
This is an unrestricted upload of a file with a dangerous type (CWE-434). The framework's ext_in validation rule incorrectly relies on guessed MIME types rather than the actual file extension, allowing malicious files to be uploaded and executed if stored in a web-accessible directory.
Business impact
The ability to upload and execute arbitrary files poses a critical risk to any application using the affected framework. With a CVSS score of 9.8, an attacker can gain full control over the application, access sensitive configuration files, and pivot into the internal network.
Remediation
Immediate Action: Update the CodeIgniter4 framework to version 4.7.3 or later.
Proactive Monitoring: Review file upload directories for unexpected files and audit applications to ensure uploaded content is stored outside of web-accessible paths.
Compensating Controls: Configure the web server to disable the execution of scripts within the directories where user-uploaded files are stored.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Applications relying on CodeIgniter4 for file uploads are at high risk. Developers must upgrade the framework immediately and ensure that uploaded files are handled with strict security practices to mitigate the risk of arbitrary code execution.