Codeigniter4/framework

This hub aggregates every CVE we track for Codeigniter4/framework, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Codeigniter4/framework.

• CVE-2025-54418CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability9.8Jul 28, 2025
• CVE-2025-45406A stored cross-site scripting (XSS) vulnerability in CodeIgniter4 v4.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the debugbar_time parameter. N...6.1Jul 25, 2025
• CVE-2025-24013CodeIgniter validation of header name and value5.3Jan 20, 2025
• CVE-2024-29904CodeIgniter4 Language class DoS Vulnerability7.5Mar 29, 2024
• CVE-2023-46240CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment7.5Oct 31, 2023
• CVE-2023-32692Remote Code Execution Vulnerability in Validation Placeholders9.8May 30, 2023
• CVE-2022-46170CodeIgniter is vulnerable to improper authentication via Session Handlers8.6Dec 22, 2022
• CVE-2022-23556CodeIgniter is vulnerable to IP address spoofing when using proxy7.0Dec 22, 2022
• CVE-2022-39284Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued in Codeigniter42.6Oct 6, 2022
• CVE-2022-24712Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability in CodeIgniter46.3Feb 28, 2022
• CVE-2022-24711Remote CLI Command Execution Vulnerability in CodeIgniter49.4Feb 28, 2022
• CVE-2022-21715Cross-site Scripting Vulnerability in CodeIgniter45.4Jan 24, 2022
• CVE-2022-21647Deserialization of Untrusted Data in Codeigniter47.7Jan 4, 2022
• CVE-2020-10793CodeIgniter through 4.0.0 allows remote attackers to gain privileges via a modified Email ID to the "Select Role of the User" page. NOTE: A contributor to the CodeIgniter framework argues that the ...8.8Mar 23, 2020
• CVE-2017-1000247British Columbia Institute of Technology CodeIgniter 3.1.3 is vulnerable to HTTP Header Injection in the set_status_header() common function under Apache resulting in HTTP Header Injection flaws.7.5Nov 17, 2017