Path traversal in CodeIgniter4 - #VU137013
Published: July 7, 2026
CodeIgniter4
Detailed vulnerability description
The vulnerability allows a remote attacker to overwrite files outside the intended upload directory.
The vulnerability exists due to path traversal in UploadedFile::move() when using the client-provided filename by default while handling file uploads without a second filename argument. A remote attacker can supply a crafted filename containing path traversal sequences to overwrite files outside the intended upload directory.
The issue occurs only when UploadedFile::move() is called without a second argument, and the impact depends on the destination path and server configuration.