Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1953+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-48062: CodeIgniter File Upload Validation Bypass (CVSS 9.8)
CVE-2026-48062: CodeIgniter File Upload Validation Bypass (CVSS 9.8)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-48062

CVE-2026-48062: CodeIgniter File Upload Validation Bypass (CVSS 9.8)

CodeIgniter versions prior to 4.7.3 contain a critical file upload validation flaw where the ext_in rule checks MIME-derived extensions instead of client-provided filenames, enabling attackers to upload PHP shells disguised as images.

Dylan H.

Security Team

July 18, 2026
5 min read

Affected Products

  • CodeIgniter < 4.7.3

Executive Summary

A critical file upload validation bypass has been disclosed in the CodeIgniter PHP framework, tracked as CVE-2026-48062 with a CVSS score of 9.8. The flaw exists in the ext_in upload validation rule within system/Validation/StrictRules/FileRules.php. Prior to version 4.7.3, the rule incorrectly validates the MIME-derived guessed extension rather than the client-provided filename extension, allowing an attacker to upload a PHP web shell (e.g. shell.php containing a GIF magic byte header) that passes validation as an image but is executed as PHP by the server.

CVSS Score: 9.8 (Critical)


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-48062
CVSS Score9.8 (Critical)
TypeImproper Input Validation — File Upload (CWE-434)
Attack VectorNetwork
AuthenticationNone required (depends on application)
User InteractionNone
Confidentiality ImpactHigh
Integrity ImpactHigh
Availability ImpactHigh

Root Cause

The ext_in validation rule in FileRules.php was designed to restrict allowed file extensions. However, the rule evaluates the MIME-detected extension (inferred from the file's content/magic bytes) instead of the actual filename extension supplied by the client. An attacker can exploit this by:

  1. Naming a malicious PHP file shell.php
  2. Prepending a valid GIF magic byte sequence (GIF89a) to the file content
  3. The MIME detection sees image/gif → inferred extension gif → the ext_in[gif,jpg,png] rule passes
  4. The server stores the file as shell.php — which PHP will execute on request

This is a classic polyglot file upload bypass that leads directly to Remote Code Execution on vulnerable web servers.


Affected Versions

ProductAffected VersionsFixed Version
CodeIgniter< 4.7.34.7.3

All CodeIgniter 4.x deployments using the ext_in validation rule for file uploads prior to 4.7.3 are vulnerable.


Exploitation Walkthrough

1. Attacker crafts shell.php with GIF magic bytes:
   GIF89a<?php system($_GET['cmd']); ?>

2. Attacker uploads shell.php via any CodeIgniter file upload form
   using the ext_in[gif,jpg,png] validation rule

3. ext_in checks MIME-derived extension → detects "gif" → PASSES

4. File is stored on server as shell.php

5. Attacker requests /uploads/shell.php?cmd=id → RCE achieved

Why This Is Severe

  • No authentication required on many public-facing upload endpoints
  • MIME spoofing is trivial — prepending magic bytes is a well-known technique
  • Full RCE — arbitrary PHP execution on the web server
  • Widely deployed framework — CodeIgniter powers a significant portion of legacy and modern PHP applications

Impact

Applications built on CodeIgniter that:

  • Use the ext_in validation rule for file uploads
  • Allow user-submitted files to be stored in a web-accessible directory
  • Run on servers where PHP can execute uploaded files (most shared hosting, many VPS setups)

...are at risk of complete server compromise through this vulnerability.


Remediation

Upgrade Immediately

Upgrade to CodeIgniter 4.7.3 which corrects the ext_in rule to validate against the client-provided filename extension rather than the MIME-derived extension.

composer update codeigniter4/framework

Verify your version:

php spark --version

Interim Mitigations (if patching is delayed)

  1. Disable file uploads on publicly accessible forms until patched
  2. Replace ext_in with mime_in for validation — but combine with blocking PHP execution in upload directories (see below)
  3. Configure web server to deny PHP execution in upload directories:

Nginx:

location ~* /uploads/.*\.php$ {
    deny all;
}

Apache .htaccess in uploads directory:

php_flag engine off
  1. Store uploads outside the web root — serve through a controller that reads and streams the file rather than exposing the raw path
  2. Rename all uploaded files to a random UUID with no extension (or a safe extension) server-side, regardless of client-provided name

Detection

Signs of Exploitation

IndicatorDescription
PHP files in upload directoriesUploaded web shells
Unexpected outbound connections from web serverC2 communication post-exploitation
Anomalous process spawning from web server processCommand execution via shell
Upload requests with .php extensionsDirect upload attempts
Requests to /uploads/*.php pathsWeb shell access attempts

Log Review

Examine web server access logs for:

  • POST requests to upload endpoints followed by GET requests to the same path with query parameters
  • Repeated requests to *.php files in upload directories from the same source IP

Key Takeaways

  1. CVSS 9.8 Critical — trivial file upload bypass enables full RCE on CodeIgniter applications
  2. Polyglot exploit — GIF magic bytes bypass MIME detection; file is stored and executed as PHP
  3. Upgrade to 4.7.3 immediately — the fix corrects ext_in to check client filename extension
  4. Disable PHP execution in upload directories as defense-in-depth, regardless of framework version
  5. Store uploads outside the web root as a permanent architectural hardening measure

References

  • NVD — CVE-2026-48062
  • CodeIgniter GitHub — Security Advisories
  • CWE-434: Unrestricted Upload of File with Dangerous Type
  • OWASP — Unrestricted File Upload
#CVE-2026-48062#CodeIgniter#PHP#File Upload#RCE#Critical

Related Articles

CVE-2026-14635: Unrestricted File Upload RCE in CodeIgniter Ecommerce Bootstrap

A high-severity unrestricted file upload vulnerability in the kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows authenticated vendor users to upload...

3 min read

CVE-2026-15488: Unrestricted File Upload in shiroiAdmin Enables Remote Code Execution

A high-severity unrestricted file upload vulnerability in shiroiAdmin versions 1.1 and 1.3 allows unauthenticated remote attackers to upload PHP webshells and achieve remote code execution.

4 min read

CVE-2026-15158: WordPress Blocksy Companion Arbitrary File Upload (CVSS 9.8)

A critical arbitrary file upload vulnerability in the Blocksy Companion WordPress plugin (versions up to 2.1.46) allows unauthenticated attackers to...

5 min read
Back to all Security Alerts