PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48062 codeigniter4 CVE debrief

CVE-2026-48062 is a critical vulnerability in CodeIgniter, a PHP full-stack web framework. The ext_in upload validation rule incorrectly checked the MIME type's extension instead of the client-provided filename extension, potentially allowing an attacker to upload a malicious PHP file as a GIF image. This vulnerability is particularly severe if applications accept user-controlled uploads, rely on ext_in to validate the uploaded filename extension, save uploaded files using the original client filename with $file->move($path), store uploads in a web-accessible directory, and allow PHP or other executable files to run from that directory. In such conditions, this may lead to arbitrary code execution. Developers and administrators should review their applications' upload validation rules and ensure they correctly validate filename extensions. Additionally, implementing additional security measures such as validating MIME types and file contents, restricting uploads to only allow specific file types and extensions, and storing uploaded files in a non-web-accessible directory can help mitigate this vulnerability.

Vendor
codeigniter4
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Developers and administrators using CodeIgniter versions prior to 4.7.3 should be aware of this vulnerability, especially if their applications accept user-controlled uploads, rely on ext_in for validation, and store uploads in a web-accessible directory.

Technical summary

In CodeIgniter versions prior to 4.7.3, the ext_in upload validation rule in system/Validation/StrictRules/FileRules.php incorrectly checked the MIME-derived guessed extension instead of the client-provided filename extension. This could allow an attacker to upload a file named shell.php containing GIF-like content, which could pass validation rules such as uploaded[avatar]|is_image[avatar]|mime_in[avatar,image/gif]|ext_in[avatar,gif]. The vulnerability is particularly severe if applications accept user-controlled uploads, rely on ext_in to validate the uploaded filename extension, save uploaded files using the original client filename with $file->move($path), store uploads in a web-accessible directory, and allow PHP or other executable files to run from that directory. In such conditions, this may lead to arbitrary code execution.

Defensive priority

High

Recommended defensive actions

  • Immediately upgrade to CodeIgniter version 4.7.3 or later
  • Review and update upload validation rules to ensure they correctly validate filename extensions
  • Implement additional security measures such as validating MIME types and file contents
  • Restrict uploads to only allow specific file types and extensions
  • Store uploaded files in a non-web-accessible directory

Evidence notes

The CVE record was published on 2026-07-17T21:17:06.787Z and has not been modified since then. The NVD entry is currently available. The vulnerability was fixed in version 4.7.3 of CodeIgniter. There are no known ransomware campaigns using this vulnerability. The CVE record was created based on the supplied source corpus and has not been modified. The debrief is based on the CVE record and NVD entry.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T21:17:06.787Z and has not been modified since then.