Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN625
_____________________________________________________________________

DATE                : 12/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running codeigniter4/framework (Composer)
                             versions prior to 4.7.3.

=====================================================================
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-2gr4-ppc7-7mhx
_____________________________________________________________________


Uploaded file extension validation bypass in `ext_in` rule
Critical
paulbalandan published GHSA-2gr4-ppc7-7mhx May 20, 2026

Package
codeigniter4/framework (Composer)

Affected versions
< 4.7.2

Patched versions
4.7.3


Description
Impact

The ext_in upload validation rule checked the MIME-derived guessed
extension instead of the client-provided filename extension. As a
result, an uploaded file named shell.php containing GIF-like content
could pass validation such as:

uploaded[avatar]|is_image[avatar]|mime_in[avatar,image/gif]|ext_in[avatar,gif]

because the detected MIME type maps to gif, even though the uploaded
filename extension is php.

Applications are impacted if they:

    accept user-controlled uploads,
    rely on ext_in to validate the uploaded filename extension,
    save uploaded files using the original client filename: $file->move($path),
    store uploads in a web-accessible directory,
    and allow PHP or other executable files to run from that directory.

In those conditions, this may lead to arbitrary code execution. The
default application does not expose such an upload endpoint.


Patches

Upgrade to v4.7.3 or later.


Workarounds

    Save uploads outside the public web root, preferably under writable/uploads

    Use $file->store() or $file->move($path, $file->getRandomName())
instead of preserving the original filename

    Disable script execution in any public upload directory
    Manually verify the client filename extension before moving the file

    Reject files when $file->getClientExtension() is not in the allowed
list or does not match $file->guessExtension()


References

    CodeIgniter4 uploaded files documentation
    CodeIgniter4 file upload validation documentation
    CWE-434: Unrestricted Upload of File with Dangerous Type
    OWASP File Upload Cheat Sheet

Severity
Critical
9.8/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2026-48062

Weaknesses
Weakness CWE-434

Credits

    @z3moo z3moo Reporter
    @teebow1e teebow1e Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================