CRITICAL9.8CVE-2026-48062CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule from 0, < 4.7.3
CRITICAL9.8CVE-2025-54418CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability from 0, < 4.6.2
CRITICAL9.8Remote Code Execution Vulnerability in Validation Placeholders in CodeIgniter4
from 0, < 4.3.5
CRITICAL9.4Remote CLI Command Execution Vulnerability in CodeIgniter4
from 0, < 4.1.9
HIGH8.8CodeIgniter Improper Privilege Management
from 0, <= 4.0.0
HIGH8.6CodeIgniter4 Potential Session Handlers Vulnerability
from 0, < 4.2.11
HIGH7.7Deserialization of Untrusted Data in Codeigniter4
from 0, < 4.1.6
HIGH7.5CodeIgniter4 DoS Vulnerability
from 0, < 4.4.7
HIGH7.5CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment
from 0, < 4.4.3
HIGH7.5CodeIgniter HTTP Header Injection
>= 3.1.3, < 3.1.4
HIGH7.0CodeIgniter4 allows spoofing of IP address when using proxy
from 0, < 4.2.11
MEDIUM6.3Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability in CodeIgniter4
from 0, < 4.1.9
MEDIUM5.4Cross-site Scripting Vulnerability in CodeIgniter4
from 0, < 4.1.8
MEDIUM5.3Missing validation of header name and value in codeigniter4/framework
from 0, < 4.5.8
LOW2.6Codeigniter4's Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued
from 0, < 4.2.7