PatchSiren cyber security CVE debrief
CVE-2026-48062 codeigniter4 CVE debrief
CVE-2026-48062 is a critical vulnerability in CodeIgniter, a PHP full-stack web framework. The ext_in upload validation rule incorrectly checked the MIME type's extension instead of the client-provided filename extension, potentially allowing an attacker to upload a malicious PHP file as a GIF image. This vulnerability is particularly severe if applications accept user-controlled uploads, rely on ext_in to validate the uploaded filename extension, save uploaded files using the original client filename with $file->move($path), store uploads in a web-accessible directory, and allow PHP or other executable files to run from that directory. In such conditions, this may lead to arbitrary code execution. Developers and administrators should review their applications' upload validation rules and ensure they correctly validate filename extensions. Additionally, implementing additional security measures such as validating MIME types and file contents, restricting uploads to only allow specific file types and extensions, and storing uploaded files in a non-web-accessible directory can help mitigate this vulnerability.
- Vendor
- codeigniter4
- Product
- Unknown
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Developers and administrators using CodeIgniter versions prior to 4.7.3 should be aware of this vulnerability, especially if their applications accept user-controlled uploads, rely on ext_in for validation, and store uploads in a web-accessible directory.
Technical summary
In CodeIgniter versions prior to 4.7.3, the ext_in upload validation rule in system/Validation/StrictRules/FileRules.php incorrectly checked the MIME-derived guessed extension instead of the client-provided filename extension. This could allow an attacker to upload a file named shell.php containing GIF-like content, which could pass validation rules such as uploaded[avatar]|is_image[avatar]|mime_in[avatar,image/gif]|ext_in[avatar,gif]. The vulnerability is particularly severe if applications accept user-controlled uploads, rely on ext_in to validate the uploaded filename extension, save uploaded files using the original client filename with $file->move($path), store uploads in a web-accessible directory, and allow PHP or other executable files to run from that directory. In such conditions, this may lead to arbitrary code execution.
Defensive priority
High
Recommended defensive actions
- Immediately upgrade to CodeIgniter version 4.7.3 or later
- Review and update upload validation rules to ensure they correctly validate filename extensions
- Implement additional security measures such as validating MIME types and file contents
- Restrict uploads to only allow specific file types and extensions
- Store uploaded files in a non-web-accessible directory
Evidence notes
The CVE record was published on 2026-07-17T21:17:06.787Z and has not been modified since then. The NVD entry is currently available. The vulnerability was fixed in version 4.7.3 of CodeIgniter. There are no known ransomware campaigns using this vulnerability. The CVE record was created based on the supplied source corpus and has not been modified. The debrief is based on the CVE record and NVD entry.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T21:17:06.787Z and has not been modified since then.