CVE-2026-48062 in CodeIgniterinfo

Summary

by MITRE • 07/17/2026

CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in upload validation rule in system/Validation/StrictRules/FileRules.php checked the MIME-derived guessed extension instead of the client-provided filename extension. As a result, an uploaded file named shell.php containing GIF-like content could pass validation such as uploaded[avatar]|is_image[avatar]|mime_in[avatar,image/gif]|ext_in[avatar,gif] because the detected MIME type maps to gif, even though the uploaded filename extension is php. Applications are impacted if they accept user-controlled uploads, rely on ext_in to validate the uploaded filename extension, save uploaded files using the original client filename with $file->move($path), store uploads in a web-accessible directory, and allow PHP or other executable files to run from that directory. In those conditions, this may lead to arbitrary code execution. This issue is fixed in version 4.7.3.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability in CodeIgniter versions prior to 4.7.3 represents a critical validation bypass flaw that undermines the framework's file upload security mechanisms. This issue specifically affects the ext_in validation rule located in system/Validation/StrictRules/FileRules.php, which fails to properly validate client-provided filename extensions against the actual MIME type of uploaded files. The flaw creates a dangerous mismatch between what the application believes is being validated and what is actually being processed, allowing malicious actors to exploit this discrepancy for privilege escalation.

The technical implementation of this vulnerability stems from the framework's inconsistent approach to file extension validation where the system relies on MIME type detection rather than client-provided filename extensions during the ext_in validation process. When a file named shell.php contains GIF-like content that triggers MIME type detection as image/gif, the validation rule incorrectly accepts it despite the php extension in the original filename. This behavior violates fundamental security principles of defense in depth and fails to properly implement input validation controls that should maintain consistency between file metadata and client-provided information.

The operational impact of this vulnerability is severe and directly maps to the attack pattern described in the ATT&CK framework under T1505.003 (Server Software Component) and T1059.007 (Command and Scripting Interpreter: PowerShell). Applications utilizing CodeIgniter versions before 4.7.3 that accept user uploads, rely on ext_in validation for security controls, store files in web-accessible directories, and permit execution of PHP files become vulnerable to arbitrary code execution attacks. The vulnerability creates a path for attackers to upload malicious PHP scripts disguised as legitimate image files, which can then be executed by the web server when accessed through the browser.

This flaw demonstrates a classic example of improper input validation that aligns with CWE-20 (Improper Input Validation) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability occurs because the framework's validation logic fails to properly enforce filename extension checks, creating a situation where file type detection based on content conflicts with user-provided metadata. Systems that depend on the ext_in rule for security boundaries become fundamentally compromised when attackers can bypass this control by manipulating file content to match expected MIME types while maintaining malicious extensions.

The mitigation strategy requires immediate upgrade to CodeIgniter version 4.7.3 or later, which addresses the validation logic inconsistency in the FileRules.php component. Organizations should also implement additional defensive measures including stricter file extension validation at multiple layers, content-based file type verification using multiple detection methods, and ensuring that uploaded files are stored outside web-accessible directories when possible. Security teams must review existing applications for reliance on the vulnerable ext_in rule and implement compensating controls such as file content analysis, mandatory sanitization of filenames, and proper file access controls to prevent execution of uploaded content in web contexts.

Responsible

GitHub M

Reservation

05/20/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!