CVE-2026-48062
Received Received - Intake

CodeIgniter File Upload Extension Validation Bypass

Vulnerability report for CVE-2026-48062, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in upload validation rule in system/Validation/StrictRules/FileRules.php checked the MIME-derived guessed extension instead of the client-provided filename extension. As a result, an uploaded file named shell.php containing GIF-like content could pass validation such as uploaded[avatar]|is_image[avatar]|mime_in[avatar,image/gif]|ext_in[avatar,gif] because the detected MIME type maps to gif, even though the uploaded filename extension is php. Applications are impacted if they accept user-controlled uploads, rely on ext_in to validate the uploaded filename extension, save uploaded files using the original client filename with $file->move($path), store uploads in a web-accessible directory, and allow PHP or other executable files to run from that directory. In those conditions, this may lead to arbitrary code execution. This issue is fixed in version 4.7.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
codeigniter codeigniter to 4.7.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in CodeIgniter allows an attacker to bypass file upload restrictions by uploading a file with a malicious extension (e.g., .php) but disguised as a harmless file (e.g., GIF). The ext_in validation rule incorrectly checks the MIME-derived extension instead of the client-provided filename extension, enabling arbitrary code execution if the file is saved and executed in a web-accessible directory.

Detection Guidance

Check if your CodeIgniter application uses the ext_in validation rule for file uploads and if uploaded files are saved with client-provided filenames in web-accessible directories. Review file upload handling logic for potential misuse of MIME type detection.

Impact Analysis

If you use CodeIgniter versions before 4.7.3 and accept user uploads, this flaw could let attackers upload and execute malicious files on your server. This may lead to complete system compromise, data theft, or further attacks against your infrastructure.

Compliance Impact

This vulnerability could violate compliance requirements by enabling unauthorized access to sensitive data (GDPR Article 32, HIPAA Security Rule). If exploited, it may result in data breaches, leading to legal penalties, reputational damage, and failure to meet regulatory standards for data protection and integrity.

Mitigation Strategies

Upgrade CodeIgniter to version 4.7.3 or later. If upgrading is not possible, disable the ext_in validation rule for file uploads and implement server-side checks to validate file extensions against a whitelist. Ensure uploaded files are stored outside web-accessible directories or with strict permissions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48062. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart