[CRITICAL] CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule

PKSA-217t-qqjr-nkt3 CVE-2026-48062 GHSA-2gr4-ppc7-7mhx

Affected version: <4.7.2

Reported by:
GitHub

[CRITICAL] CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability

PKSA-7ybs-j1bv-y5mc CVE-2025-54418 GHSA-9952-gv64-x94c

Affected version: <4.6.2

Reported by:
GitHub

[MEDIUM] Missing validation of header name and value in codeigniter4/framework

PKSA-qbjf-dc24-wrff CVE-2025-24013 GHSA-x5mq-jjr3-vmx6

Affected version: <4.5.8

Reported by:
GitHub