Deserialization of Untrusted Data in CodeIgniter4 - CVE-2022-21647
Published: January 4, 2022 / Updated: May 23, 2026
CodeIgniter4
Detailed vulnerability description
The vulnerability allows a remote attacker to execute existing PHP code on the server.
The vulnerability exists due to deserialization of untrusted data in the old() function when processing serialized input. A remote attacker can inject auto-loadable arbitrary objects to execute existing PHP code on the server.
We are aware of a working exploit that can lead to SQL injection.