A critical vulnerability, tracked as CVE-2026-48062, has been discovered in the CodeIgniter framework, which affects many PHP web applications. This flaw has a CVSS score of 9.8 and allows attackers arbitrary code execution due to insufficient validation in file uploads. The primary issue lies within the framework’s handling of MIME-derived extensions which can permit malicious files to bypass security checks. Sites that accept file uploads and utilize the `ext_in` rule for validation are particularly at risk.
The vulnerability can be mitigated by upgrading to CodeIgniter v4.7.3 and following recommended security practices, such as storing uploads outside the public web root and renaming files appropriately.