Arbitrary File Upload Affecting codeigniter4/framework package, versions <4.7.3


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.08% (24th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-CODEIGNITER4FRAMEWORK-17660421
  • published27 Jun 2026
  • disclosed11 Jun 2026
  • creditz3moo, teebow1e

Introduced: 11 Jun 2026

NewCVE-2026-48062  (opens in a new tab)
CWE-434  (opens in a new tab)

How to fix?

Upgrade codeigniter4/framework to version 4.7.3 or higher.

Overview

codeigniter4/framework is a PHP full-stack web framework that is light, fast, flexible, and secure.

Affected versions of this package are vulnerable to Arbitrary File Upload in the ext_in validation process for file uploads. An attacker can execute arbitrary code by uploading a file with a dangerous extension that bypasses validation, such as a PHP file disguised with a permitted MIME type. This is only exploitable if the application accepts user-controlled uploads, relies on ext_in for extension validation, saves files using the original client filename, stores uploads in a web-accessible directory, and allows execution of uploaded files from that directory.

Workaround

This vulnerability can be mitigated by saving uploads outside the public web root, using randomized filenames for uploads, disabling script execution in public upload directories, manually verifying the client filename extension before moving the file, or rejecting files when the client extension is not in the allowed list or does not match the guessed extension.

CVSS Base Scores

version 4.0
version 3.1