SQL injection in CodeIgniter4 - #VU137012
Published: July 7, 2026
CodeIgniter4
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in the Query Builder deleteBatch() method when using where() conditions. A remote attacker can supply crafted input to where() before deleteBatch() is called to execute arbitrary SQL commands.
This affects only the deleteBatch() code path; regular delete() operations escape where() binds correctly.