SB2026052301 - OS Command Injection in CodeIgniter4

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026052301

SB2026052301 - OS Command Injection in CodeIgniter4

Published: May 23, 2026

Security Bulletin ID SB2026052301
CSH Severity
High
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) OS Command Injection (CVE-ID: CVE-2025-54418)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to command injection in the ImageMagick handler when processing uploaded images with user-controlled filenames via the resize() method or adding text to images with user-controlled text content or options via the text() method. A remote attacker can supply crafted filenames, text content, or text options to execute arbitrary commands.

Only applications using the imagick image library are affected.


Remediation

Install update from vendor's website.

References