What is the CVSS score of CVE-2026-48062?

CVE-2026-48062 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of CodeIgniter4 are affected by CVE-2026-48062?

CodeIgniter4 versions prior to 4.7.3 contain a critical vulnerability allowing attackers to upload and execute arbitrary code on affected servers.. A patch is available.

How to fix or mitigate CVE-2026-48062?

24 hours: Identify all CodeIgniter4 deployments running versions prior to 4.7.3 with file upload functionality. 7 days: Test CodeIgniter4 4.7.3 in staging environment to verify compatibility. 30 days: Deploy CodeIgniter4 4.7.3 to all production systems.

CodeIgniter4 CVE-2026-48062

CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-06-11 https://github.com/codeigniter4/CodeIgniter4

GHSA-2gr4-ppc7-7mhx

File Upload PHP RCE

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

8.1 HIGH

Network-reachable upload endpoint with no auth in vulnerable configurations, but AC:H because exploitation requires a non-default chain (ext_in usage, original-filename move, web-root storage, PHP execution).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

Jun 11, 2026 - 17:45 vuln.today

Analysis Generated

Jun 11, 2026 - 17:45 vuln.today

DescriptionGitHub Advisory

Impact

The ext_in upload validation rule checked the MIME-derived guessed extension instead of the client-provided filename extension. As a result, an uploaded file named shell.php containing GIF-like content could pass validation such as:

uploaded[avatar]|is_image[avatar]|mime_in[avatar,image/gif]|ext_in[avatar,gif]

because the detected MIME type maps to gif, even though the uploaded filename extension is php.

Applications are impacted if they:

accept user-controlled uploads,
rely on ext_in to validate the uploaded filename extension,
save uploaded files using the original client filename: $file->move($path),
store uploads in a web-accessible directory,
and allow PHP or other executable files to run from that directory.

In those conditions, this may lead to arbitrary code execution. The default application does not expose such an upload endpoint.

Patches

Upgrade to v4.7.3 or later.

Workarounds

Save uploads outside the public web root, preferably under writable/uploads
Use $file->store() or $file->move($path, $file->getRandomName()) instead of preserving the original filename
Disable script execution in any public upload directory
Manually verify the client filename extension before moving the file
Reject files when $file->getClientExtension() is not in the allowed list or does not match $file->guessExtension()

Resources

Articles & Coverage 1

News Critical Arbitrary File Upload RCE in CodeIgniter4 (PHP) - CVE-2026-48062 Jun 11, 2026

AnalysisAI

Arbitrary file upload leading to remote code execution in CodeIgniter4 framework versions prior to 4.7.3 occurs because the ext_in validation rule inspects the MIME-derived guessed extension rather than the client-supplied filename extension. Applications that accept user uploads, rely on ext_in for extension allow-listing, persist files under their original client filename inside a web-accessible directory, and permit PHP execution in that directory can be coerced into writing and executing attacker-controlled PHP. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify CodeIgniter4 app with public upload endpoint

Delivery

Craft GIF/PHP polyglot named shell.php

Exploit

POST file through ext_in-validated form

Install

Validation passes on MIME-derived extension

File written to web root with original name

Execute

Request /uploads/shell.php to trigger PHP execution

Impact

Obtain RCE as web server user

Recon

Identify CodeIgniter4 app with public upload endpoint

Delivery

Craft GIF/PHP polyglot named shell.php

Exploit

POST file through ext_in-validated form

Install

Validation passes on MIME-derived extension

File written to web root with original name

Execute

Request /uploads/shell.php to trigger PHP execution

Impact

Obtain RCE as web server user

Vulnerability AssessmentAI

Exploitation	Exploitation requires all of the following to be simultaneously true in the target application: (1) a publicly reachable upload endpoint built by the application developer, since the default CodeIgniter4 skeleton ships no such endpoint; (2) the validation chain must rely on the `ext_in` rule for extension allow-listing, optionally combined with `is_image` and `mime_in` - sites using custom extension checks are not affected; (3) the upload handler must call `$file->move($path)` without supplying `$file->getRandomName()`, thereby preserving the attacker-controlled `.php` filename; (4) the destination directory must be inside the document root and reachable over HTTP; and (5) the web server must be configured to execute PHP (or another scripting handler) for files in that directory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The published CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8) overstates the practical risk because exploitation is gated by a chain of developer-controlled conditions enumerated by the vendor: a public upload endpoint must exist (the default CodeIgniter4 application ships none), `ext_in` must be used for extension policing, the developer must call `$file->move($path)` preserving the client filename, the destination must be inside the web root, and the web server must be configured to execute PHP (or other scripts) from that directory. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker visits a CodeIgniter4 application's avatar/profile-picture upload endpoint and submits a polyglot file named `shell.php` whose first bytes are the GIF89a magic header followed by `<?php` code; the `mime_in[avatar,image/gif]` and `ext_in[avatar,gif]` rules both pass because content-sniffing yields `gif`, and `$file->move($path)` writes the file to the public web root preserving the `.php` suffix. The attacker then requests `/uploads/shell.php`, the web server executes the embedded PHP, and the attacker obtains remote code execution as the web server user. …
Remediation	Vendor-released patch: upgrade `codeigniter4/framework` to 4.7.3 or later via Composer (`composer require codeigniter4/framework:^4.7.3`); the fix is commit 29299349e7d232e9532767c7cefaed30957309be, which now validates `getClientExtension()` first and additionally requires `guessExtension()` to match it. … Detailed patch versions, workarounds, and compensating controls in full report.