Arbitrary file upload in CodeIgniter4 - #VU137010
Published: July 7, 2026
CodeIgniter4
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to unrestricted upload of file with dangerous type in the `is_image` and `mime_in` file upload validation rules when validating uploaded files. A remote attacker can upload a crafted file with a dangerous extension to execute arbitrary code.
Applications are impacted when uploaded files are saved using the client-supplied filename and placed in a web-accessible directory where PHP files can execute.